CVE-2026-55413

ToolJet is the open-source foundation am AI-native platform for building and deploying internal tools, workflows and AI agents. Prior to 3.20.178-lts, any authenticated user with builder role (free tier) can overwrite a globally-shared marketplace plugin with arbitrary JavaScript that executes server-side with full Node.js access (require, process). The malicious code runs whenever any user on the instance triggers a query using that plugin — achieving both RCE and supply-chain compromise of the entire ToolJet deployment. This vulnerability is fixed in 3.20.178-lts.
CVSS

No CVSS.

Configurations

No configuration.

History

25 Jun 2026, 19:16

Type Values Removed Values Added
References () https://github.com/ToolJet/ToolJet/security/advisories/GHSA-jgmf-cw3v-r98x - () https://github.com/ToolJet/ToolJet/security/advisories/GHSA-jgmf-cw3v-r98x -

25 Jun 2026, 17:16

Type Values Removed Values Added
New CVE

Information

Published : 2026-06-25 17:16

Updated : 2026-06-25 19:16


NVD link : CVE-2026-55413

Mitre link : CVE-2026-55413

CVE.ORG link : CVE-2026-55413


JSON object : View

Products Affected

No product.

CWE
CWE-94

Improper Control of Generation of Code ('Code Injection')