VYPR
← All advisories
Medium severity4.4NVD Advisory· Published Jun 19, 2026· Updated Jun 19, 2026

Outerbase Studio: Stored XSS in Text Widget Leads to Authentication Token Exposure

CVE-2026-55650

Description

Summary

A Stored Cross-Site Scripting (XSS) issue previously existed in the Text Widget in Board of Outerbase Studio where unsanitized HTML could be rendered using dangerouslySetInnerHTML

Steps to

Reproduce

  1. Create a new dashboard.
  2. Add a Text widget.
  3. Insert the following payload:

Architectural

Context

Outerbase Cloud and its backend services were discontinued in 2025.

The current version of Outerbase Studio operates purely as a client-side application, with dashboard data stored locally in the browser.

Impact

In the current architecture, the impact is limited to local self-XSS within a user's browser session. The previously described scenarios involving:

  • authentication token theft
  • account takeover
  • database access

are no longer applicable since there are no active backend services or authentication tokens.

Remediation

The unsafe HTML rendering in the Text Widget has been removed in commit https://github.com/outerbase/studio/commit/b06fb85e5967440278d5a815721b360920566ab9 by eliminating the use of dangerouslySetInnerHTML.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Affected products

1

Patches

Vulnerability mechanics

Root cause

"The Text widget used `dangerouslySetInnerHTML` to render user-supplied text without sanitization, allowing arbitrary HTML and JavaScript execution."

Attack vector

An attacker with the ability to create or edit a dashboard can add a Text widget and insert a malicious HTML payload (e.g. `<img src=x onerror="alert('XSS')">`). Because the widget used `dangerouslySetInnerHTML` to render user-supplied text without sanitization, the browser executes the injected script when the dashboard is viewed [ref_id=1][ref_id=3]. The payload can access `localStorage` to exfiltrate the `ob-token` authentication token, enabling token theft and account takeover [ref_id=1][ref_id=3].

What the fix does

The patch removes the `dangerouslySetInnerHTML` attribute from the `<span>` element in `TextComponent` and replaces it with standard React text rendering (`<span>{markdown}</span>`) [patch_id=6633266]. It also deletes the custom markdown-to-HTML regex replacements that previously converted markdown syntax into raw `<b>`, `<i>`, `<u>`, and `<br>` tags. By no longer interpreting the user-supplied text as HTML, any embedded script tags or event handlers are rendered as inert text, closing the XSS vector.

Preconditions

  • authAttacker must be able to create or edit a dashboard and add a Text widget
  • inputVictim must view the dashboard containing the malicious Text widget

Reproduction

1. Create a new dashboard. 2. Add a **Text widget**. 3. Insert the following payload:

```html <img src=x onerror="alert('XSS Executed\nToken: ' + localStorage.getItem('ob-token'))"> ```

[ref_id=1][ref_id=3]

Generated on Jun 19, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

3

News mentions

0

No linked articles in our index yet.