CVE-2026-35565

Name of the Vulnerable Software and Affected Versions Apache Storm versions prior to 2.8.6

Description The Storm UI visualization component interpolates topology metadata, such as component IDs, stream names, and grouping values, directly into HTML via innerHTML in the parseNode() and parseEdge() functions without sanitization. An authenticated user with topology submission rights can craft a topology containing malicious HTML or JavaScript in component identifiers. This payload is transmitted through Nimbus, Thrift, and the Visualization API to the vis.js tooltip rendering, leading to stored cross-site scripting. In multi-tenant deployments, this can allow privilege escalation if the UI is accessed by operators or administrators.

Recommendations Upgrade to version 2.8.6. As a temporary workaround, monkey-patch the parseNode() and parseEdge() functions in the visualization JavaScript file to HTML-escape all API-supplied values, including nodeId, :capacity, :latency, :component, :stream, and :grouping before interpolation into tooltip HTML strings. Restrict topology submission to trusted users via Nimbus ACLs as a defense-in-depth measure.