ToolJet is the open-source foundation am AI-native platform for building and deploying internal tools, workflows and AI agents. Prior to 3.20.178-lts, any authenticated user with builder role (free tier) can overwrite a globally-shared marketplace plugin with arbitrary JavaScript that executes server-side with full Node.js access (require, process). The malicious code runs whenever any user on the instance triggers a query using that plugin — achieving both RCE and supply-chain compromise of the entire ToolJet deployment. This vulnerability is fixed in 3.20.178-lts.
CVSS
No CVSS.
References
Configurations
No configuration.
History
25 Jun 2026, 19:16
| Type | Values Removed | Values Added |
|---|---|---|
| References | () https://github.com/ToolJet/ToolJet/security/advisories/GHSA-jgmf-cw3v-r98x - |
25 Jun 2026, 17:16
| Type | Values Removed | Values Added |
|---|---|---|
| New CVE |
Information
Published : 2026-06-25 17:16
Updated : 2026-06-25 19:16
NVD link : CVE-2026-55413
Mitre link : CVE-2026-55413
CVE.ORG link : CVE-2026-55413
JSON object : View
Products Affected
No product.
CWE
CWE-94
Improper Control of Generation of Code ('Code Injection')
