Executive Summary

[{'type': 'paragraph', 'content': 'CVE-2026-30862 is a critical Stored Cross-Site Scripting (XSS) vulnerability in Appsmith versions up to 1.95, specifically in the Table Widget (TableWidgetV2). The issue arises because the React component responsible for rendering table cells does not properly sanitize user input, allowing malicious HTML and scripts to be injected directly into the DOM.'}, {'type': 'paragraph', 'content': 'An attacker with a regular user account can exploit this by injecting malicious payloads into the table data, which are then rendered unsanitized. By leveraging the "Invite Users" feature, the attacker can trick a System Administrator into opening a malicious table, causing the administrator\'s browser to execute the injected script with high privileges.'}, {'type': 'paragraph', 'content': 'This leads to a Cross-Privilege Request Forgery (CPRF) attack, where the attacker can perform high-privileged API calls on behalf of the administrator, ultimately resulting in a full administrative account takeover of the Appsmith instance.'}] [1]

Useful 0 Not Useful 0

Impact Analysis

This vulnerability can have severe impacts including complete compromise of the Appsmith instance.

• Full administrative account takeover, allowing the attacker to control the entire application.
• Exposure of sensitive environment variables and database credentials.
• Ability to modify any application within the environment.
• Potential disruption of confidentiality, integrity, and availability of the system.

Useful 0 Not Useful 0

Compliance Impact

I don't know

Useful 0 Not Useful 0

Detection Guidance

This vulnerability can be detected by inspecting the Table Widget (TableWidgetV2) in Appsmith versions up to 1.95 for unsanitized user input, especially in columns set to URL or Plain Text types. Look for injected HTML or JavaScript payloads in the Table Data property that could execute when rendered.

Since the attack involves a Stored Cross-Site Scripting (XSS) payload that executes when an administrator opens a malicious table, detection can include monitoring for unusual API calls to /api/v1/admin/env triggered by user interactions.

Suggested commands or methods include:

• Review application logs for suspicious API calls to /api/v1/admin/env.
• Use web application security scanners to detect stored XSS vulnerabilities in the Table Widget.
• Manually inspect Table Widget data inputs for embedded HTML or JavaScript tags, such as <img> tags with onerror attributes.
• Monitor network traffic for unexpected requests or privilege escalation attempts originating from user accounts.

Useful 0 Not Useful 0

Mitigation Strategies

[{'type': 'paragraph', 'content': 'The immediate mitigation step is to upgrade Appsmith to version 1.96 or later, where this vulnerability is fixed.'}, {'type': 'paragraph', 'content': "Additional mitigation includes sanitizing all dynamic outputs in the Table Widget's BasicCell component using a library like DOMPurify.sanitize() to prevent injection of malicious HTML or scripts."}, {'type': 'paragraph', 'content': 'Enforce a strict Content Security Policy (CSP), especially a restrictive connect-src directive, to prevent unauthorized API calls from malicious scripts.'}, {'type': 'paragraph', 'content': 'Limit user privileges and monitor the use of the "Invite Users" feature to reduce the risk of social engineering attacks.'}] [1]

Useful 0 Not Useful 0