GHSA-wwf9-7jrc-rv4q

Suggest an improvement
Source
https://github.com/advisories/GHSA-wwf9-7jrc-rv4q
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/06/GHSA-wwf9-7jrc-rv4q/GHSA-wwf9-7jrc-rv4q.json
JSON Data
https://api.osv.dev/v1/vulns/GHSA-wwf9-7jrc-rv4q
Aliases
  • CVE-2026-55650
Published
2026-06-19T21:18:44Z
Modified
2026-06-19T21:30:10.204988402Z
Severity
  • 4.4 (Medium) CVSS_V3 - CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N CVSS Calculator
Summary
Outerbase Studio: Stored XSS in Text Widget Leads to Authentication Token Exposure
Details

Summary

A Stored Cross-Site Scripting (XSS) issue previously existed in the Text Widget in Board of Outerbase Studio where unsanitized HTML could be rendered using dangerouslySetInnerHTML

Steps to Reproduce

  1. Create a new dashboard.
  2. Add a Text widget.
  3. Insert the following payload:
<img src=x onerror="alert('XSS Executed\nToken: ' + localStorage.getItem('ob-token'))">

Architectural Context

Outerbase Cloud and its backend services were discontinued in 2025.

The current version of Outerbase Studio operates purely as a client-side application, with dashboard data stored locally in the browser.

Impact

In the current architecture, the impact is limited to local self-XSS within a user's browser session. The previously described scenarios involving:

  • authentication token theft
  • account takeover
  • database access

are no longer applicable since there are no active backend services or authentication tokens.

Remediation

The unsafe HTML rendering in the Text Widget has been removed in commit https://github.com/outerbase/studio/commit/b06fb85e5967440278d5a815721b360920566ab9 by eliminating the use of dangerouslySetInnerHTML.

Database specific 
{
    "github_reviewed": true,
    "github_reviewed_at": "2026-06-19T21:18:44Z",
    "nvd_published_at": null,
    "severity": "MODERATE",
    "cwe_ids": [
        "CWE-79"
    ]
}
References

Affected packages

npm / @outerbase/studio

Package

Name
@outerbase/studio
View open source insights on deps.dev
Purl
pkg:npm/%40outerbase%2Fstudio

Affected ranges

Type
SEMVER
Events
Introduced
0Unknown introduced version / All previous versions are affected
Last affected
0.10.2

Database specific

source 
"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/06/GHSA-wwf9-7jrc-rv4q/GHSA-wwf9-7jrc-rv4q.json"