Scan free
CRITICALCVE-2026-30862CVSS 9.1

CVE-2026-30862: XSS in Appsmith - Critical Admin Takeover

Platform

javascript

Component

appsmith

Fixed in

1.96.1

AI Confidence: highNVDEPSS 0.0%Reviewed: May 2026
View on NVD
Save

A critical Stored Cross-Site Scripting (XSS) vulnerability (CVE-2026-30862) has been identified in Appsmith versions prior to 1.96. This vulnerability resides within the Table Widget (TableWidgetV2) and allows attackers to inject malicious attributes into the DOM due to insufficient HTML sanitization. Successful exploitation can lead to a Full Administrative Account Takeover, significantly compromising the security of the application and its data. The vulnerability is resolved in version 1.96.

Impact and Attack Scenarios

The impact of CVE-2026-30862 is severe. An attacker with a regular user account can leverage the 'Invite Users' feature to trick a System Administrator into executing a high-privileged API call (/api/v1/admin/env). This API call, when executed with administrative privileges, grants the attacker complete control over the Appsmith instance. This includes the ability to modify configurations, access sensitive data, create or delete users, and potentially compromise other systems connected to Appsmith. The potential for data exfiltration and system disruption is substantial, making this a high-priority vulnerability to address.

Exploitation Context

CVE-2026-30862 was publicly disclosed on 2026-03-09. No public proof-of-concept (POC) code has been released at the time of writing, but the vulnerability's ease of exploitation and potential impact suggest a high probability of exploitation. It is not currently listed on the CISA KEV catalog, but its critical severity warrants close monitoring. The vulnerability's reliance on social engineering (tricking an administrator) increases the likelihood of targeted attacks.

Threat Intelligence

Exploit Status

Proof of ConceptUnknown
CISA KEVNO
Internet ExposureHigh
Reports1 threat report

EPSS

0.05% (14% percentile)

CISA SSVC

Exploitationpoc
Automatableno
Technical Impacttotal

CVSS Vector

THREAT INTELLIGENCE· CVSS 3.1CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H9.1CRITICALAttack VectorNetworkHow the attacker reaches the targetAttack ComplexityLowConditions required to exploitPrivileges RequiredLowAuthentication level needed to attackUser InteractionRequiredWhether a victim must take actionScopeChangedImpact beyond the vulnerable componentConfidentialityHighRisk of sensitive data exposureIntegrityHighRisk of unauthorized data modificationAvailabilityHighRisk of service disruptionnextguardhq.com · CVSS v3.1 Base Score
What do these metrics mean?
Attack Vector
Network — remotely exploitable over the internet. No physical or local access required. Widest attack surface.
Attack Complexity
Low — no special conditions required. Attacker can exploit reliably without depending on rare configurations or timing.
Privileges Required
Low — any valid user account is sufficient. Basic authenticated access required.
User Interaction
Required — victim must take an action: open a file, click a link, or visit a crafted page.
Scope
Changed — successful attack can pivot beyond the vulnerable component to other systems or the host OS.
Confidentiality
High — complete confidentiality loss. Attacker can read all data: credentials, keys, personal data.
Integrity
High — attacker can write, modify, or delete any data: databases, config files, or code.
Availability
High — complete crash or resource exhaustion. Full denial of service.

Affected Software

Componentappsmith
Vendorappsmithorg
Affected rangeFixed in
< 1.96 – < 1.961.96.1

Weakness Classification (CWE)

CWE-79

Timeline

  1. Reserved
  2. Published
  3. Modified
  4. EPSS updated

Mitigation and Workarounds

The primary mitigation for CVE-2026-30862 is to immediately upgrade Appsmith to version 1.96 or later. If upgrading is not immediately feasible, consider implementing strict input validation on the 'Invite Users' feature to prevent the injection of malicious attributes. While not a complete solution, this can reduce the attack surface. Monitor Appsmith logs for suspicious API calls to /api/v1/admin/env originating from unexpected user accounts. After upgrading, confirm the fix by attempting to trigger the vulnerable API call through the 'Invite Users' feature with a crafted payload; it should be properly sanitized and not execute.

How to fix

Update Appsmith to version 1.96 or higher. This version fixes the stored XSS vulnerability and privilege escalation that allows for administrator account takeover.

CVE Security Newsletter

Vulnerability analysis and critical alerts directly to your inbox.

Frequently asked questions

What is CVE-2026-30862 — XSS in Appsmith?

CVE-2026-30862 is a critical Stored XSS vulnerability affecting Appsmith versions prior to 1.96, allowing attackers to potentially gain administrative control.

Am I affected by CVE-2026-30862 in Appsmith?

If you are running Appsmith version 1.96 or earlier, you are vulnerable to this XSS attack. Immediately check your version and upgrade.

How do I fix CVE-2026-30862 in Appsmith?

The recommended fix is to upgrade Appsmith to version 1.96 or later. If immediate upgrade is not possible, implement input validation on the 'Invite Users' feature.

Is CVE-2026-30862 being actively exploited?

While no public exploits are currently known, the vulnerability's severity and ease of exploitation suggest a high probability of exploitation. Monitor your systems closely.

Where can I find the official Appsmith advisory for CVE-2026-30862?

Refer to the official Appsmith security advisory for detailed information and updates: [https://appsmith.com/security](https://appsmith.com/security)

Is your project affected?

Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.

Scan freeSearch CVEs