CVE-2026-30862

CRITICAL

Appsmith <1.96 - Stored XSS

Title source: llm

Description

Appsmith is a platform to build admin panels, internal tools, and dashboards. Prior to 1.96, a Critical Stored XSS vulnerability exists in the Table Widget (TableWidgetV2). The root cause is a lack of HTML sanitization in the React component rendering pipeline, allowing malicious attributes to be interpolated into the DOM. By leveraging the "Invite Users" feature, an attacker with a regular user account ([email protected]) can force a System Administrator to execute a high-privileged API call (/api/v1/admin/env), resulting in a Full Administrative Account Takeover. This vulnerability is fixed in 1.96.

Exploits (2)

github STUB 10 stars
by XiaomingX · pythonpoc
https://github.com/XiaomingX/data-cve-poc-py-v1/tree/main/2026/CVE-2026-30862
nomisec WRITEUP 1 stars
by drkim-dev · poc
https://github.com/drkim-dev/CVE-2026-30862

References (1)

Scores

CVSS v3 9.0
EPSS 0.0005
EPSS Percentile 16.5%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H

Details

CWE
CWE-79
Status published
Products (1)
appsmith/appsmith < 1.96
Published Mar 10, 2026
Tracked Since Mar 11, 2026