Plattform
javascript
Komponente
appsmith
Behoben in
1.96.1
A critical Stored Cross-Site Scripting (XSS) vulnerability has been identified in Appsmith, a platform for building internal tools and dashboards. This flaw, present in versions up to 1.96, resides within the Table Widget (TableWidgetV2) due to insufficient HTML sanitization. Exploitation allows a regular user to trigger a high-privileged API call, potentially leading to a full administrative account takeover. The vulnerability has been resolved in version 1.96.
The impact of CVE-2026-30862 is severe. An attacker, even with a standard user account, can exploit this XSS vulnerability to gain complete control over the Appsmith instance. By leveraging the "Invite Users" feature, they can craft a malicious payload that, when processed by a System Administrator, executes a privileged API call (/api/v1/admin/env). This API call allows the attacker to modify system-level configurations and effectively assume the role of an administrator. The potential for data breaches, unauthorized access, and complete system compromise is significant. This vulnerability shares similarities with other XSS exploits where user-supplied data is improperly handled, leading to arbitrary code execution within the application’s context.
CVE-2026-30862 was publicly disclosed on 2026-03-09. There is currently no indication of active exploitation in the wild, but the critical severity and ease of exploitation (requiring only a standard user account) warrant immediate attention. The vulnerability is not currently listed on the CISA KEV catalog. Public proof-of-concept (POC) code is likely to emerge given the vulnerability's nature and severity.
Organizations utilizing Appsmith for building internal tools and admin panels are at risk, particularly those with System Administrator accounts that are susceptible to social engineering attacks. Shared hosting environments where multiple users share an Appsmith instance are also at increased risk, as a compromised regular user account could potentially lead to administrative access.
• javascript / web:
// Check for suspicious API calls to /api/v1/admin/env in Appsmith logs
// Look for requests originating from unusual user accounts• generic web:
curl -I 'https://<appsmith_instance>/api/v1/admin/env' | grep -i '200 OK'• generic web:
# Check Appsmith access logs for POST requests to /api/v1/admin/env
# with unusual user agents or referrer headersdisclosure
Exploit-Status
EPSS
0.05% (14% Perzentil)
CISA SSVC
CVSS-Vektor
The primary mitigation for CVE-2026-30862 is to immediately upgrade Appsmith to version 1.96 or later. If upgrading is not immediately feasible, consider implementing strict input validation and output encoding on all user-supplied data used within the Table Widget. While not a complete solution, a Web Application Firewall (WAF) configured to detect and block XSS payloads targeting the /api/v1/admin/env endpoint can provide a temporary layer of defense. Regularly review and audit Appsmith configurations, paying close attention to user permissions and access controls. After upgrading, confirm the fix by attempting to trigger the vulnerable API call with a known malicious payload and verifying that it is properly sanitized.
Aktualisieren Sie Appsmith auf Version 1.96 oder höher. Diese Version behebt die gespeicherte XSS-Schwachstelle und die Privilegieskalation, die eine Übernahme des Administrator-Kontos ermöglicht.
Schwachstellenanalysen und kritische Warnungen direkt in deinen Posteingang.
CVE-2026-30862 is a critical Stored XSS vulnerability affecting Appsmith versions prior to 1.96, allowing attackers to potentially gain administrative control.
If you are running Appsmith version 1.96 or earlier, you are vulnerable to this XSS attack. Immediately check your version and upgrade.
The recommended fix is to upgrade Appsmith to version 1.96 or later. If immediate upgrade is not possible, implement input validation on the 'Invite Users' feature.
While no public exploits are currently known, the vulnerability's severity and ease of exploitation suggest a high probability of exploitation. Monitor your systems closely.
Refer to the official Appsmith security advisory for detailed information and updates: [https://appsmith.com/security](https://appsmith.com/security)
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.