Platform
javascript
Component
appsmith
Fixed in
1.96.1
A critical Stored Cross-Site Scripting (XSS) vulnerability (CVE-2026-30862) has been identified in Appsmith versions prior to 1.96. This vulnerability resides within the Table Widget (TableWidgetV2) and allows attackers to inject malicious attributes into the DOM due to insufficient HTML sanitization. Successful exploitation can lead to a Full Administrative Account Takeover, significantly compromising the security of the application and its data. The vulnerability is resolved in version 1.96.
The impact of CVE-2026-30862 is severe. An attacker with a regular user account can leverage the 'Invite Users' feature to trick a System Administrator into executing a high-privileged API call (/api/v1/admin/env). This API call, when executed with administrative privileges, grants the attacker complete control over the Appsmith instance. This includes the ability to modify configurations, access sensitive data, create or delete users, and potentially compromise other systems connected to Appsmith. The potential for data exfiltration and system disruption is substantial, making this a high-priority vulnerability to address.
CVE-2026-30862 was publicly disclosed on 2026-03-09. No public proof-of-concept (POC) code has been released at the time of writing, but the vulnerability's ease of exploitation and potential impact suggest a high probability of exploitation. It is not currently listed on the CISA KEV catalog, but its critical severity warrants close monitoring. The vulnerability's reliance on social engineering (tricking an administrator) increases the likelihood of targeted attacks.
Exploit Status
EPSS
0.05% (14% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2026-30862 is to immediately upgrade Appsmith to version 1.96 or later. If upgrading is not immediately feasible, consider implementing strict input validation on the 'Invite Users' feature to prevent the injection of malicious attributes. While not a complete solution, this can reduce the attack surface. Monitor Appsmith logs for suspicious API calls to /api/v1/admin/env originating from unexpected user accounts. After upgrading, confirm the fix by attempting to trigger the vulnerable API call through the 'Invite Users' feature with a crafted payload; it should be properly sanitized and not execute.
Update Appsmith to version 1.96 or higher. This version fixes the stored XSS vulnerability and privilege escalation that allows for administrator account takeover.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2026-30862 is a critical Stored XSS vulnerability affecting Appsmith versions prior to 1.96, allowing attackers to potentially gain administrative control.
If you are running Appsmith version 1.96 or earlier, you are vulnerable to this XSS attack. Immediately check your version and upgrade.
The recommended fix is to upgrade Appsmith to version 1.96 or later. If immediate upgrade is not possible, implement input validation on the 'Invite Users' feature.
While no public exploits are currently known, the vulnerability's severity and ease of exploitation suggest a high probability of exploitation. Monitor your systems closely.
Refer to the official Appsmith security advisory for detailed information and updates: [https://appsmith.com/security](https://appsmith.com/security)
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.