Lucene search
K

5 matches found

OSV
OSV
added 2026/04/13 12:31 p.m.2 views

GHSA-F2HP-QW27-8WFQ Apache Storm UI: Stored Cross-Site Scripting (XSS) via Unsanitized Topology Metadata

Stored Cross-Site Scripting XSS via Unsanitized Topology Metadata in Apache Storm UI Versions Affected: before 2.8.6 Description: The Storm UI visualization component interpolates topology metadata including component IDs, stream names, and grouping values directly into HTML via innerHTML in...

5.4CVSS5.9AI score0.00466EPSS
Exploits0References4
EUVD
EUVD
added 2026/04/13 12:31 p.m.3 views

EUVD-2026-21902

Deserialization of Untrusted Data vulnerability in Apache Storm. Versions Affected: before 2.8.6. Description: When processing topology credentials submitted via the Nimbus Thrift API, Storm deserializes the base64-encoded TGT blob using ObjectInputStream.readObject without any class filtering or...

8.8CVSS6.4AI score0.01011EPSS
Exploits0References3
CVE
CVE
added 2026/04/13 9:11 a.m.29 views

CVE-2026-35337

CVE-2026-35337 — Apache Storm Deserialization of Untrusted Data via Kerberos TGT Credential Handling. Affected: Storm before 2.8.6. Summary: processing topology credentials submitted to Nimbus Thrift API deserializes base64-encoded TGT blobs with ObjectInputStream.readObject() without class filte...

8.8CVSS6.4AI score0.01011EPSS
Exploits0References2Affected Software1
Vulnrichment
Vulnrichment
added 2026/04/13 9:10 a.m.1 views

CVE-2026-35565 Apache Storm UI: Stored Cross-Site Scripting (XSS) via Unsanitized Topology Metadata in Storm UI

Stored Cross-Site Scripting XSS via Unsanitized Topology Metadata in Apache Storm UI Versions Affected: before 2.8.6 Description: The Storm UI visualization component interpolates topology metadata including component IDs, stream names, and grouping values directly into HTML via innerHTML in...

5.9AI score0.00466EPSS
Exploits0References1
CVE
CVE
added 2026/04/13 9:10 a.m.21 views

CVE-2026-35565

The CVE affects Apache Storm UI before 2.8.6. The Storm UI visualization component interpolates topology metadata (component IDs, stream names, grouping values) directly into HTML via innerHTML in parseNode() and parseEdge() without sanitization, enabling stored XSS when an authenticated user wit...

5.4CVSS5.9AI score0.00466EPSS
Exploits0References2Affected Software1
Rows per page
Query Builder