Skip to main content

Appium Base Driver

1 CVEs product

Monthly

CVE-2026-58191 MEDIUM PATCH This Month

Reflected cross-site scripting in Appium's base-driver allows unauthenticated remote attackers to execute arbitrary JavaScript in a victim's browser on the Appium server origin. All Appium installations prior to 10.7.0 unconditionally expose three test routes whose `compileLodashTemplate` handler reflects unsanitized user-controlled inputs - the `throwError` query parameter, the `comments` POST field, and the `User-Agent` request header - directly into rendered HTML without output encoding. No public exploit has been identified at time of analysis, but the zero-authentication requirement and permanently-mounted test routes make any network-reachable Appium server an attack surface with no opt-out mechanism below the fix version.

XSS Appium Base Driver
NVD GitHub VulDB
CVSS 3.1
6.1
EPSS
0.3%
EPSS 0% CVSS 6.1
MEDIUM PATCH This Month

Reflected cross-site scripting in Appium's base-driver allows unauthenticated remote attackers to execute arbitrary JavaScript in a victim's browser on the Appium server origin. All Appium installations prior to 10.7.0 unconditionally expose three test routes whose `compileLodashTemplate` handler reflects unsanitized user-controlled inputs - the `throwError` query parameter, the `comments` POST field, and the `User-Agent` request header - directly into rendered HTML without output encoding. No public exploit has been identified at time of analysis, but the zero-authentication requirement and permanently-mounted test routes make any network-reachable Appium server an attack surface with no opt-out mechanism below the fix version.

XSS Appium Base Driver
NVD GitHub VulDB

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy