CVE-2026-30862

Critical CVSS: 9.0

Appsmith is a platform to build admin panels, internal tools, and dashboards. Prior to 1.96, a Critical Stored XSS vulnerability exists in the Table Widget (TableWidgetV2). The root cause is a lack of HTML sanitization in the React component rendering pipeline, allowing malicious attributes to be interpolated into the DOM. By leveraging the "Invite Users" feature, an attacker with a regular user account (user@gmail.com) can force a System Administrator to execute a high-privileged API call (/api/v1/admin/env), resulting in a Full Administrative Account Takeover. This vulnerability is fixed in 1.96.

Vendor

Appsmith

Product

Appsmith

CWE

CWE-79

Yayın Tarihi

2026-03-10 17:40:14

Güncelleme

2026-03-13 15:34:16

Source Identifier

security-advisories@github.com

KEV Date Added

Kategoriler

CWE-79 Appsmith CRITICAL Appsmith 2026

Referanslar

https://github.com/appsmithorg/appsmith/security/advisories/GHSA-5hw4-whxv-6794 https://github.com/appsmithorg/appsmith/security/advisories/GHSA-5hw4-whxv-6794

Benzer Kayıtlar

Medium

CVE-2026-34411

Appsmith versions prior to 1.98 expose sensitive instance management API endpoints without authentication. Unauthenticat…

Critical

CVE-2026-24042

Appsmith is a platform to build admin panels, internal tools, and dashboards. In versions 1.94 and below, publicly acces…

Critical

CVE-2026-22794

Appsmith is a platform to build admin panels, internal tools, and dashboards. Prior to 1.93, the server uses the Origin…

Medium

CVE-2024-55965

An issue was discovered in Appsmith before 1.51. Users invited as "App Viewer" incorrectly have access to development in…

Medium

CVE-2024-55963

An issue was discovered in Appsmith before 1.51. A user on Appsmith that doesn't have admin permissions can trigger the…

Critical

CVE-2024-55964

An issue was discovered in Appsmith before 1.52. An incorrectly configured PostgreSQL instance in the Appsmith image lea…