Skip to main content

Outerbase Studio CVE-2026-55650

MEDIUM
Cross-site Scripting (XSS) (CWE-79)
2026-06-19 https://github.com/outerbase/studio GHSA-wwf9-7jrc-rv4q
4.4
CVSS 3.1 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
4.4 MEDIUM
AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N
vuln.today AI
4.4 MEDIUM

AV:L reflects purely client-side execution with no network reachability; PR:N since no role gatekeeps Text Widget authorship; UI:R because a second user must view the dashboard.

3.1 AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N
4.0 AV:L/AC:L/AT:N/PR:N/UI:A/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N

Primary rating from GitHub Advisory.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N
Attack Vector
Local
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Unchanged
Confidentiality
Low
Integrity
Low
Availability
None

Lifecycle Timeline

3
Source Code Evidence Fetched
Jun 19, 2026 - 23:45 vuln.today
Analysis Generated
Jun 19, 2026 - 23:45 vuln.today
CVE Published
Jun 19, 2026 - 21:18 github-advisory
MEDIUM 4.4

DescriptionGitHub Advisory

Summary

A Stored Cross-Site Scripting (XSS) issue previously existed in the Text Widget in Board of Outerbase Studio where unsanitized HTML could be rendered using dangerouslySetInnerHTML

Steps to Reproduce

  1. Create a new dashboard.
  2. Add a Text widget.
  3. Insert the following payload:
html
<img src=x onerror="alert('XSS Executed\nToken: ' + localStorage.getItem('ob-token'))">

Architectural Context

Outerbase Cloud and its backend services were discontinued in 2025.

The current version of Outerbase Studio operates purely as a client-side application, with dashboard data stored locally in the browser.

Impact

In the current architecture, the impact is limited to local self-XSS within a user's browser session. The previously described scenarios involving:

  • authentication token theft
  • account takeover
  • database access

are no longer applicable since there are no active backend services or authentication tokens.

Remediation

The unsafe HTML rendering in the Text Widget has been removed in commit https://github.com/outerbase/studio/commit/b06fb85e5967440278d5a815721b360920566ab9 by eliminating the use of dangerouslySetInnerHTML.

AnalysisAI

Stored XSS in Outerbase Studio's Text Widget (npm/@outerbase/studio <= 0.10.2) allowed arbitrary HTML injection through React's dangerouslySetInnerHTML, enabling script execution in any user who viewed a malicious dashboard. The real-world severity is substantially reduced from legacy disclosures: Outerbase Cloud was discontinued in 2025, leaving the application as a purely client-side tool with no backend, no shared sessions, and no persistent authentication tokens - eliminating the originally described token-theft and account-takeover scenarios. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Craft malicious dashboard with XSS payload in Text Widget
Delivery
Deliver dashboard file or link to victim
Exploit
Victim opens dashboard in vulnerable Studio version
Execution
dangerouslySetInnerHTML renders injected HTML
Persist
Attacker JavaScript executes in victim's browser session
Impact
Access local browser context (DOM, localStorage)

Vulnerability AssessmentAI

Exploitation The victim must be running Outerbase Studio npm package version 0.10.2 or earlier and must view a dashboard that contains a Text Widget authored with a malicious HTML payload. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment CVSS 4.4 with AV:L/UI:R/S:U/C:L/I:L reflects the bounded, client-side nature of this vulnerability accurately. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker crafts a dashboard containing a Text Widget with a payload such as <img src=x onerror='...'>. If the attacker can induce a victim to open that dashboard in Outerbase Studio (for example, by distributing a malicious dashboard export file or by being present in a shared local environment), the onerror handler executes in the victim's browser session. …
Remediation The upstream fix is available as commit b06fb85e5967440278d5a815721b360920566ab9 (https://github.com/outerbase/studio/commit/b06fb85e5967440278d5a815721b360920566ab9), which removes the dangerouslySetInnerHTML rendering path in the Text Widget and replaces it with React's safe text-node rendering. … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-55650 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy