Unrated severityNVD Advisory· Published Mar 9, 2026· Updated Mar 10, 2026
Critical Stored XSS & Privilege Escalation in Appsmith
CVE-2026-30862
Description
Appsmith is a platform to build admin panels, internal tools, and dashboards. Prior to 1.96, a Critical Stored XSS vulnerability exists in the Table Widget (TableWidgetV2). The root cause is a lack of HTML sanitization in the React component rendering pipeline, allowing malicious attributes to be interpolated into the DOM. By leveraging the "Invite Users" feature, an attacker with a regular user account (user@gmail.com) can force a System Administrator to execute a high-privileged API call (/api/v1/admin/env), resulting in a Full Administrative Account Takeover. This vulnerability is fixed in 1.96.
Affected products
3<1.96+ 1 more
- (no CPE)range: <1.96
- (no CPE)range: < 1.96
Patches
Vulnerability mechanics
References
1- github.com/appsmithorg/appsmith/security/advisories/GHSA-5hw4-whxv-6794mitrex_refsource_CONFIRM
News mentions
0No linked articles in our index yet.