प्लेटफ़ॉर्म
javascript
घटक
appsmith
में ठीक किया गया
1.96.1
A critical Stored Cross-Site Scripting (XSS) vulnerability (CVE-2026-30862) has been identified in Appsmith versions prior to 1.96. This vulnerability resides within the Table Widget (TableWidgetV2) and allows attackers to inject malicious attributes into the DOM due to insufficient HTML sanitization. Successful exploitation can lead to a Full Administrative Account Takeover, significantly compromising the security of the application and its data. The vulnerability is resolved in version 1.96.
The impact of CVE-2026-30862 is severe. An attacker with a regular user account can leverage the 'Invite Users' feature to trick a System Administrator into executing a high-privileged API call (/api/v1/admin/env). This API call, when executed with administrative privileges, grants the attacker complete control over the Appsmith instance. This includes the ability to modify configurations, access sensitive data, create or delete users, and potentially compromise other systems connected to Appsmith. The potential for data exfiltration and system disruption is substantial, making this a high-priority vulnerability to address.
CVE-2026-30862 was publicly disclosed on 2026-03-09. No public proof-of-concept (POC) code has been released at the time of writing, but the vulnerability's ease of exploitation and potential impact suggest a high probability of exploitation. It is not currently listed on the CISA KEV catalog, but its critical severity warrants close monitoring. The vulnerability's reliance on social engineering (tricking an administrator) increases the likelihood of targeted attacks.
Organizations utilizing Appsmith for building internal tools and admin panels are at risk, particularly those with System Administrator accounts that are susceptible to social engineering attacks. Shared hosting environments where multiple users share an Appsmith instance are also at increased risk, as a compromised regular user account could potentially lead to administrative access.
• javascript / web:
// Check for suspicious API calls to /api/v1/admin/env in Appsmith logs
// Look for requests originating from unusual user accounts• generic web:
curl -I 'https://<appsmith_instance>/api/v1/admin/env' | grep -i '200 OK'• generic web:
# Check Appsmith access logs for POST requests to /api/v1/admin/env
# with unusual user agents or referrer headersdisclosure
एक्सप्लॉइट स्थिति
EPSS
0.05% (14% शतमक)
CISA SSVC
CVSS वेक्टर
The primary mitigation for CVE-2026-30862 is to immediately upgrade Appsmith to version 1.96 or later. If upgrading is not immediately feasible, consider implementing strict input validation on the 'Invite Users' feature to prevent the injection of malicious attributes. While not a complete solution, this can reduce the attack surface. Monitor Appsmith logs for suspicious API calls to /api/v1/admin/env originating from unexpected user accounts. After upgrading, confirm the fix by attempting to trigger the vulnerable API call through the 'Invite Users' feature with a crafted payload; it should be properly sanitized and not execute.
Appsmith को संस्करण 1.96 या उच्चतर में अपडेट करें। यह संस्करण संग्रहीत XSS भेद्यता और विशेषाधिकार वृद्धि को ठीक करता है जो व्यवस्थापक खाते के अधिग्रहण की अनुमति देता है।
भेद्यता विश्लेषण और गंभीर अलर्ट सीधे आपके ईमेल में।
CVE-2026-30862 is a critical Stored XSS vulnerability affecting Appsmith versions prior to 1.96, allowing attackers to potentially gain administrative control.
If you are running Appsmith version 1.96 or earlier, you are vulnerable to this XSS attack. Immediately check your version and upgrade.
The recommended fix is to upgrade Appsmith to version 1.96 or later. If immediate upgrade is not possible, implement input validation on the 'Invite Users' feature.
While no public exploits are currently known, the vulnerability's severity and ease of exploitation suggest a high probability of exploitation. Monitor your systems closely.
Refer to the official Appsmith security advisory for detailed information and updates: [https://appsmith.com/security](https://appsmith.com/security)
अपनी डिपेंडेंसी फ़ाइल अपलोड करें और तुरंत जानें कि यह CVE और अन्य आपको प्रभावित करती हैं या नहीं।