Outerbase Studio CVE-2026-55650
MEDIUMSeverity by source
AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N
AV:L reflects purely client-side execution with no network reachability; PR:N since no role gatekeeps Text Widget authorship; UI:R because a second user must view the dashboard.
Primary rating from GitHub Advisory.
CVSS VectorGitHub Advisory
CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N
Lifecycle Timeline
3DescriptionGitHub Advisory
Summary
A Stored Cross-Site Scripting (XSS) issue previously existed in the Text Widget in Board of Outerbase Studio where unsanitized HTML could be rendered using dangerouslySetInnerHTML
Steps to Reproduce
- Create a new dashboard.
- Add a Text widget.
- Insert the following payload:
<img src=x onerror="alert('XSS Executed\nToken: ' + localStorage.getItem('ob-token'))">Architectural Context
Outerbase Cloud and its backend services were discontinued in 2025.
The current version of Outerbase Studio operates purely as a client-side application, with dashboard data stored locally in the browser.
Impact
In the current architecture, the impact is limited to local self-XSS within a user's browser session. The previously described scenarios involving:
- authentication token theft
- account takeover
- database access
are no longer applicable since there are no active backend services or authentication tokens.
Remediation
The unsafe HTML rendering in the Text Widget has been removed in commit https://github.com/outerbase/studio/commit/b06fb85e5967440278d5a815721b360920566ab9 by eliminating the use of dangerouslySetInnerHTML.
AnalysisAI
Stored XSS in Outerbase Studio's Text Widget (npm/@outerbase/studio <= 0.10.2) allowed arbitrary HTML injection through React's dangerouslySetInnerHTML, enabling script execution in any user who viewed a malicious dashboard. The real-world severity is substantially reduced from legacy disclosures: Outerbase Cloud was discontinued in 2025, leaving the application as a purely client-side tool with no backend, no shared sessions, and no persistent authentication tokens - eliminating the originally described token-theft and account-takeover scenarios. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | The victim must be running Outerbase Studio npm package version 0.10.2 or earlier and must view a dashboard that contains a Text Widget authored with a malicious HTML payload. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | CVSS 4.4 with AV:L/UI:R/S:U/C:L/I:L reflects the bounded, client-side nature of this vulnerability accurately. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker crafts a dashboard containing a Text Widget with a payload such as <img src=x onerror='...'>. If the attacker can induce a victim to open that dashboard in Outerbase Studio (for example, by distributing a malicious dashboard export file or by being present in a shared local environment), the onerror handler executes in the victim's browser session. … |
| Remediation | The upstream fix is available as commit b06fb85e5967440278d5a815721b360920566ab9 (https://github.com/outerbase/studio/commit/b06fb85e5967440278d5a815721b360920566ab9), which removes the dangerouslySetInnerHTML rendering path in the Text Widget and replaces it with React's safe text-node rendering. … Detailed patch versions, workarounds, and compensating controls in full report. |
Threat intelligence, references, and detailed analysis are available after sign-in.
Same weakness CWE-79 – Cross-site Scripting (XSS)
View allShare
External POC / Exploit Code
Leaving vuln.today
GHSA-wwf9-7jrc-rv4q