Skip to main content

Apache EUVDEUVD-2026-21904

| CVE-2026-35565 MEDIUM
Cross-site Scripting (XSS) (CWE-79)
2026-04-13 apache
5.4
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
5.4 MEDIUM
AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
Required
Scope
Changed
Confidentiality
Low
Integrity
Low
Availability
None

Lifecycle Timeline

6
Patch released
Apr 15, 2026 - 02:30 nvd
Patch available
Analysis Generated
Apr 13, 2026 - 15:22 vuln.today
CVSS changed
Apr 13, 2026 - 15:22 NVD
5.4 (None) 5.4 (MEDIUM)
EUVD ID Assigned
Apr 13, 2026 - 10:15 euvd
EUVD-2026-21904
Analysis Generated
Apr 13, 2026 - 10:15 vuln.today
CVE Published
Apr 13, 2026 - 09:10 nvd
MEDIUM 5.4

Blast Radius

ecosystem impact
† from your stack dependencies † transitive graph · vuln.today resolves 4-path depth
  • 1 maven packages depend on org.apache.storm:storm-webapp (1 direct, 0 indirect)

Ecosystem-wide dependent count for version 2.8.6.

DescriptionCVE.org

Stored Cross-Site Scripting (XSS) via Unsanitized Topology Metadata in Apache Storm UI

Versions Affected: before 2.8.6

Description: The Storm UI visualization component interpolates topology metadata including component IDs, stream names, and grouping values directly into HTML via innerHTML in parseNode() and parseEdge() without sanitization at any layer. An authenticated user with topology submission rights could craft a topology containing malicious HTML/JavaScript in component identifiers (e.g., a bolt ID containing an onerror event handler). This payload flows through Nimbus → Thrift → the Visualization API → vis.js tooltip rendering, resulting in stored cross-site scripting.

In multi-tenant deployments where topology submission is available to less-trusted users but the UI is accessed by operators or administrators, this enables privilege escalation through script execution in an admin's browser session.

Mitigation: 2.x users should upgrade to 2.8.6. Users who cannot upgrade immediately should monkey-patch the parseNode() and parseEdge() functions in the visualization JavaScript file to HTML-escape all API-supplied values including nodeId, :capacity, :latency, :component, :stream, and :grouping before interpolation into tooltip HTML strings, and should additionally restrict topology submission to trusted users via Nimbus ACLs as a defense-in-depth measure. A guide on how to do this is available in the release notes of 2.8.6.

Credit: This issue was discovered while investigating another report by K.

AnalysisAI

Stored cross-site scripting in Apache Storm UI before 2.8.6 allows authenticated users with topology submission rights to inject malicious HTML/JavaScript via unsanitized component identifiers, stream names, and grouping values in the visualization component. The payload persists in Nimbus and executes in the browser of any administrator viewing the topology visualization, enabling privilege escalation in multi-tenant deployments. EPSS score of 0.04% and SSVC assessment of partial technical impact with no automated exploitation indicate relatively low real-world risk despite the concerning privilege-escalation scenario.

Technical ContextAI

Apache Storm's UI visualization component uses vis.js for rendering network topology graphs. The vulnerability exists in JavaScript functions parseNode() and parseEdge(), which directly interpolate topology metadata (component IDs, stream names, grouping attributes) into HTML via innerHTML without sanitization. Topology metadata originates from Nimbus (Storm's master) via Thrift RPC and flows through the Visualization API to the frontend JavaScript layer. The root cause is inadequate input validation (CWE-79: Improper Neutralization of Input During Web Page Generation) at the point where user-controlled data from topology definitions enters HTML construction. Because topology definitions are stored persistently in Nimbus, malicious payloads remain in the system and execute whenever the topology visualization is rendered.

RemediationAI

Upgrade to Apache Storm 2.8.6 or later, which includes sanitization of topology metadata in the visualization JavaScript layer. For organizations unable to upgrade immediately, the release notes of Apache Storm 2.8.6 provide a guide to manually monkey-patch the parseNode() and parseEdge() functions in the visualization JavaScript file to HTML-escape all API-supplied values (nodeId, capacity, latency, component, stream, grouping attributes) before interpolation into tooltip HTML. Additionally, implement defense-in-depth by restricting topology submission permissions via Nimbus ACLs to only trusted users, reducing the attack surface. Consult the official advisory at https://storm.apache.org/2026/04/12/storm286-released.html and https://nvd.nist.gov/vuln/detail/CVE-2026-35565 for detailed remediation guidance.

Share

EUVD-2026-21904 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy