CVE-2026-30862CRITICAL 9.0EPSS p22.2%

CVE-2026-30862CVE-2026-30862

Description

Appsmith is a platform to build admin panels, internal tools, and dashboards. Prior to 1.96, a Critical Stored XSS vulnerability exists in the Table Widget (TableWidgetV2). The root cause is a lack of HTML sanitization in the React component rendering pipeline, allowing malicious attributes to be interpolated into the DOM. By leveraging the "Invite Users" feature, an attacker with a regular user account (user@gmail.com) can force a System Administrator to execute a high-privileged API call (/api/v1/admin/env), resulting in a Full Administrative Account Takeover. This vulnerability is fixed in 1.96.

Scoring

CVSS 3.19.0 (CRITICAL)
VectorCVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H
EPSS0.31% probability of exploitation · percentile 22.2% · 2026-06-19T12:03:05Z
Published2026-03-10
Last modified2026-03-13

Underlying weaknesses· 1

CWE-79

References

  1. https://github.com/appsmithorg/appsmith/security/advisories/GHSA-5hw4-whxv-6794
  2. https://github.com/appsmithorg/appsmith/security/advisories/GHSA-5hw4-whxv-6794

1

TypeTargetConfidenceTier
WeaknessImproper Neutralization of Input During Web Page Generation ('Cross-site Scripting')cwe-790%live

Related by meaning· 6

Nearest entities by semantic similarity across the cs-graph corpus.

CVE
CVE-2026-7299
CVE
CVE-2026-22794
CVE
CVE-2026-24042
CVE
CVE-2026-21311
CVE
CVE-2026-48297
CVE
CVE-2026-21361
Sourced from NVD + FIRST.org EPSS. Curated for EU compliance use cases by Adam Lundqvist, Founder at SQUR.