CVE-2026-30862
Published: 10 March 2026
Summary
CVE-2026-30862 is a critical-severity Cross-site Scripting (CWE-79) vulnerability in Appsmith Appsmith. Its CVSS base score is 9.0 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 16.4th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-15 (Information Output Filtering).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
SI-15 mandates filtering of output prior to rendering, directly addressing the lack of HTML sanitization in the TableWidgetV2 React component that allows malicious attributes to be interpolated into the DOM.
SI-10 requires validation of all inputs to the system, preventing the storage of malicious XSS payloads via features like 'Invite Users' that could target administrators.
SI-2 ensures timely flaw remediation, including patching the specific sanitization vulnerability fixed in Appsmith version 1.96 to eliminate the stored XSS risk.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Stored XSS in web app directly enables exploitation of accessible application (T1190) and hijacking of admin browser session to force privileged API execution (T1185).
NVD Description
Appsmith is a platform to build admin panels, internal tools, and dashboards. Prior to 1.96, a Critical Stored XSS vulnerability exists in the Table Widget (TableWidgetV2). The root cause is a lack of HTML sanitization in the React component rendering…
more
pipeline, allowing malicious attributes to be interpolated into the DOM. By leveraging the "Invite Users" feature, an attacker with a regular user account (user@gmail.com) can force a System Administrator to execute a high-privileged API call (/api/v1/admin/env), resulting in a Full Administrative Account Takeover. This vulnerability is fixed in 1.96.
Deeper analysisAI
CVE-2026-30862 is a critical stored cross-site scripting (XSS) vulnerability, rated at CVSS 3.1 score of 9.0 (AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H) and mapped to CWE-79, affecting Appsmith versions prior to 1.96. Appsmith is a platform for building admin panels, internal tools, and dashboards. The issue resides in the Table Widget (TableWidgetV2), where a lack of HTML sanitization in the React component rendering pipeline allows malicious attributes to be interpolated into the DOM.
An attacker with a regular user account, such as user@gmail.com, can exploit this vulnerability by leveraging the "Invite Users" feature. This enables the attacker to force a System Administrator to execute a high-privileged API call to /api/v1/admin/env through a stored XSS payload, resulting in full administrative account takeover.
The official Appsmith security advisory (GHSA-5hw4-whxv-6794) confirms that the vulnerability is fixed in Appsmith version 1.96, recommending that users upgrade to this or later versions to mitigate the risk.
Details
- CWE(s)