Home / Vulnerability Intelligence / CVE-2026-30862

CVE-2026-30862 - Vulnerability Analysis

CriticalCVSS: 9.0

Last Updated: March 11, 2026

Appsmith - Stored XSS

Published: March 10, 2026Updated: March 11, 2026PoC AvailableRemote Exploitable

Overview

Appsmith < 1.96 contains a stored XSS caused by lack of HTML sanitization in TableWidgetV2 React component, letting attackers with regular user accounts force admin API calls and achieve full administrative takeover, exploit requires attacker to have a regular user account.

Severity & Score

Severity: Critical

CVSS Score: 9.0

EPSS Score: 4.1%(Probability of exploitation in next 30 days)

Impact

Attackers can execute high-privileged API calls leading to full administrative account takeover.

Mitigation

Upgrade to version 1.96 or later.

References

https://github.com/appsmithorg/appsmith/security/advisories/GHSA-5hw4-whxv-6794

Social Media Activity(1 post)

Offensive Sequence

@offseq

Mar 10, 2026

⚠️ CRITICAL: CVE-2026-30862 in Appsmith <1.96 enables stored XSS via TableWidgetV2. Attackers can leverage 'Invite Users' for admin takeover. Patch to 1.96+ ASAP! No active exploits yet. https://radar.offseq.com/threat/cve-2026-30862-cwe-79-improper-neutralization-of-i-d918c60a #OffSeq #XSS #Appsmith #CVE2026_30862

View original post

GitHub Repositories(1 repo)

https://github.com/drkim-dev/CVE-2026-30862

Related Resources

Details

CVE ID: CVE-2026-30862
Severity: Critical
CVSS Score: 9.0
Type: stored_xss
Status: unconfirmed
EPSS: 4.1%
Social Posts: 1

CWE

CWE-79

CVSS Metrics

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H

EPSS Score

4.1%Probability of exploitation in the next 30 days