VYPR
← All advisories
Moderate severityNVD Advisory· Published Dec 16, 2022· Updated Apr 17, 2025

Apache Zeppelin: Stored XSS in note permissions

CVE-2022-46870

Description

Apache Zeppelin before 0.8.2 contains a stored XSS flaw allowing authenticated users to inject arbitrary JavaScript into other users' browsers.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Apache Zeppelin before 0.8.2 contains a stored XSS flaw allowing authenticated users to inject arbitrary JavaScript into other users' browsers.

Vulnerability

CVE-2022-46870 is a stored Cross-Site Scripting (XSS) vulnerability in Apache Zeppelin, a web-based notebook for interactive data analytics. The flaw arises from improper neutralization of user input during web page generation, enabling injection of arbitrary JavaScript code [1].

Exploitation

An attacker must be logged into the system and can submit malicious input through normal Zeppelin functionality. If a victim views the crafted content, the injected script executes in their browser session [1]. No special network position or additional privileges beyond a valid account are required.

Impact

Successful exploitation allows the attacker to perform actions on behalf of the victim user within the Zeppelin application, potentially accessing sensitive data, modifying notebooks, or escalating privileges. The XSS can also lead to session hijacking or further attacks on the organization's network [1].

Mitigation

The vulnerability affects Apache Zeppelin versions before 0.8.2. Users are strongly advised to upgrade to version 0.8.2 or later, which contains the fix [1]. No official workarounds have been published, and the product is actively maintained on GitHub [2].

References
  1. NVD - CVE-2022-46870
  2. GitHub - apache/zeppelin: Web-based notebook that enables data-driven, interactive data analytics and collaborative documents with SQL, Scala and more.

AI Insight generated on May 20, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
org.apache.zeppelin:zeppelinMaven
< 0.8.20.8.2

Affected products

2

Patches

0

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

3

News mentions

0

No linked articles in our index yet.