CVE-2026-33858 - Vulnerability Analysis
HighCVSS: 8.8Last Updated: April 13, 2026
Apache Airflow - Stored XSS
Overview
Apache Airflow contains a stored XSS caused by crafted XCom payloads allowing Dag Authors to execute arbitrary code in the webserver context, exploit requires Dag Author privileges.
Severity & Score
Impact
Dag Authors can execute arbitrary code in the webserver context, potentially compromising the server.
Mitigation
Upgrade to Apache Airflow 3.2.0.
References
Social Media Activity(2 posts)
š CVE-2026-33858 - High (8.8) Dag Authors, who normally should not be able to execute code in the webserver context could craft XCom payload causing the webserver to execute arbitrary code. Since Dag Authors are already highly trusted, severity of this issue is Low. Users ar... š https://www.thehackerwire.com/vulnerability/CVE-2026-33858/ #CVE #vulnerability #infosec #cybersecurity #security #Tenda #patchstack
View original post
š CVE-2026-33858 - High (8.8) Dag Authors, who normally should not be able to execute code in the webserver context could craft XCom payload causing the webserver to execute arbitrary code. Since Dag Authors are already highly trusted, severity of this issue is Low. Users ar... š https://www.thehackerwire.com/vulnerability/CVE-2026-33858/ #CVE #vulnerability #infosec #cybersecurity #security #Tenda #patchstack
View original postRelated Resources
Details
- CVE ID
- CVE-2026-33858
- Severity
- High
- CVSS Score
- 8.8
- Type
- stored_xss
- Status
- new
- EPSS
- 0.0%
- Social Posts
- 2
CWE
- CWE-502
CVSS Metrics
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H