PT-2026-51103 · Npm · @Outerbase/Studio

Publicado

2026-06-19

Atualizado

2026-06-19

CVE-2026-55650

CVSS v3.1

4.4

Média

Vetor

AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N

Summary

A Stored Cross-Site Scripting (XSS) issue previously existed in the Text Widget in Board of Outerbase Studio where unsanitized HTML could be rendered using dangerouslySetInnerHTML

Steps to Reproduce

Create a new dashboard.
Add a Text widget.
Insert the following payload:

html

<img src=x onerror="alert('XSS Executed
Token: ' + localStorage.getItem('ob-token'))">

Architectural Context

Outerbase Cloud and its backend services were discontinued in 2025.

The current version of Outerbase Studio operates purely as a client-side application, with dashboard data stored locally in the browser.

Impact

In the current architecture, the impact is limited to local self-XSS within a user's browser session. The previously described scenarios involving:

authentication token theft
account takeover
database access

are no longer applicable since there are no active backend services or authentication tokens.

Remediation

The unsafe HTML rendering in the Text Widget has been removed in commit https://github.com/outerbase/studio/commit/b06fb85e5967440278d5a815721b360920566ab9 by eliminating the use of dangerouslySetInnerHTML.

Correção

XSS

Encontrou algum problema na descrição? Tem algo a acrescentar? Fique à vontade para nos escrever 👾

dbugs@ptsecurity.com

Enumeração de Fraquezas

CWE-79

Identificadores relacionados

CVE-2026-55650

GHSA-WWF9-7JRC-RV4Q

Produtos afetados

@Outerbase/Studio

PT-2026-51103 · Npm · @Outerbase/Studio

CVE-2026-55650

Summary

Steps to Reproduce

Architectural Context

Impact

Remediation

Enumeração de Fraquezas

Identificadores relacionados

Produtos afetados

Referências · 4