Severity by source
AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
Lifecycle Timeline
6Blast Radius
ecosystem impact- 1 maven packages depend on org.apache.storm:storm-webapp (1 direct, 0 indirect)
Ecosystem-wide dependent count for version 2.8.6.
DescriptionCVE.org
Stored Cross-Site Scripting (XSS) via Unsanitized Topology Metadata in Apache Storm UI
Versions Affected: before 2.8.6
Description: The Storm UI visualization component interpolates topology metadata including component IDs, stream names, and grouping values directly into HTML via innerHTML in parseNode() and parseEdge() without sanitization at any layer. An authenticated user with topology submission rights could craft a topology containing malicious HTML/JavaScript in component identifiers (e.g., a bolt ID containing an onerror event handler). This payload flows through Nimbus → Thrift → the Visualization API → vis.js tooltip rendering, resulting in stored cross-site scripting.
In multi-tenant deployments where topology submission is available to less-trusted users but the UI is accessed by operators or administrators, this enables privilege escalation through script execution in an admin's browser session.
Mitigation: 2.x users should upgrade to 2.8.6. Users who cannot upgrade immediately should monkey-patch the parseNode() and parseEdge() functions in the visualization JavaScript file to HTML-escape all API-supplied values including nodeId, :capacity, :latency, :component, :stream, and :grouping before interpolation into tooltip HTML strings, and should additionally restrict topology submission to trusted users via Nimbus ACLs as a defense-in-depth measure. A guide on how to do this is available in the release notes of 2.8.6.
Credit: This issue was discovered while investigating another report by K.
AnalysisAI
Stored cross-site scripting in Apache Storm UI before 2.8.6 allows authenticated users with topology submission rights to inject malicious HTML/JavaScript via unsanitized component identifiers, stream names, and grouping values in the visualization component. The payload persists in Nimbus and executes in the browser of any administrator viewing the topology visualization, enabling privilege escalation in multi-tenant deployments. EPSS score of 0.04% and SSVC assessment of partial technical impact with no automated exploitation indicate relatively low real-world risk despite the concerning privilege-escalation scenario.
Technical ContextAI
Apache Storm's UI visualization component uses vis.js for rendering network topology graphs. The vulnerability exists in JavaScript functions parseNode() and parseEdge(), which directly interpolate topology metadata (component IDs, stream names, grouping attributes) into HTML via innerHTML without sanitization. Topology metadata originates from Nimbus (Storm's master) via Thrift RPC and flows through the Visualization API to the frontend JavaScript layer. The root cause is inadequate input validation (CWE-79: Improper Neutralization of Input During Web Page Generation) at the point where user-controlled data from topology definitions enters HTML construction. Because topology definitions are stored persistently in Nimbus, malicious payloads remain in the system and execute whenever the topology visualization is rendered.
RemediationAI
Upgrade to Apache Storm 2.8.6 or later, which includes sanitization of topology metadata in the visualization JavaScript layer. For organizations unable to upgrade immediately, the release notes of Apache Storm 2.8.6 provide a guide to manually monkey-patch the parseNode() and parseEdge() functions in the visualization JavaScript file to HTML-escape all API-supplied values (nodeId, capacity, latency, component, stream, grouping attributes) before interpolation into tooltip HTML. Additionally, implement defense-in-depth by restricting topology submission permissions via Nimbus ACLs to only trusted users, reducing the attack surface. Consult the official advisory at https://storm.apache.org/2026/04/12/storm286-released.html and https://nvd.nist.gov/vuln/detail/CVE-2026-35565 for detailed remediation guidance.
Same weakness CWE-79 – Cross-site Scripting (XSS)
View allSame technique Privilege Escalation
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-21904