Skip to main content

Appsmith CVE-2026-30862

CRITICAL
Cross-site Scripting (XSS) (CWE-79)
2026-03-10 security-advisories@github.com
XSS Appsmith
9.0
CVSS 3.1 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
9.0 CRITICAL
AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
Required
Scope
Changed
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

2
Analysis Generated
Mar 12, 2026 - 21:55 vuln.today
CVE Published
Mar 10, 2026 - 17:40 nvd
CRITICAL 9.0

DescriptionGitHub Advisory

Appsmith is a platform to build admin panels, internal tools, and dashboards. Prior to 1.96, a Critical Stored XSS vulnerability exists in the Table Widget (TableWidgetV2). The root cause is a lack of HTML sanitization in the React component rendering pipeline, allowing malicious attributes to be interpolated into the DOM. By leveraging the "Invite Users" feature, an attacker with a regular user account (user@gmail.com) can force a System Administrator to execute a high-privileged API call (/api/v1/admin/env), resulting in a Full Administrative Account Takeover. This vulnerability is fixed in 1.96.

AnalysisAI

Appsmith platform prior to version 1.96 has a critical stored XSS enabling account takeover through crafted admin panel content.

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts
Continue with Google Continue with GitHub

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Craft malicious XSS payload in TableWidgetV2
Delivery
Inject via Invite Users feature
Exploit
Admin clicks link triggering XSS
Execution
Execute /api/v1/admin/env call
Impact
Achieve full account takeover
Sign in to reveal

Vulnerability AssessmentAI

Exploitation Requires valid user account on Appsmith instance (PR:L). … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment CVSS 9.0 — Appsmith builds internal tools. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker injects XSS into an Appsmith application that steals admin session tokens when viewed.
Remediation Update Appsmith. Detailed patch versions, workarounds, and compensating controls in full report.
Sign in to read full assessment

Recommended ActionAI

Within 24 hours: Audit all Appsmith instances to identify version numbers and inventory Table Widget usage in production dashboards. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-30862 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy