{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-35565", "assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09", "state": "PUBLISHED", "assignerShortName": "apache", "dateReserved": "2026-04-03T15:14:12.281Z", "datePublished": "2026-04-13T09:10:17.367Z", "dateUpdated": "2026-04-13T14:10:07.069Z"}, "containers": {"cna": {"affected": [{"collectionURL": "https://repo.maven.apache.org/maven2/", "defaultStatus": "unaffected", "packageName": "org.apache.storm:storm-webapp", "product": "Apache Storm UI", "vendor": "Apache Software Foundation", "versions": [{"lessThan": "2.8.6", "status": "affected", "version": "0", "versionType": "semver"}]}], "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "<p><strong>Stored Cross-Site Scripting (XSS) via Unsanitized Topology Metadata in Apache Storm UI</strong></p>\n<p><strong>Versions Affected:</strong> before 2.8.6</p>\n<p><strong>Description:</strong> The Storm UI visualization component interpolates topology metadata including component IDs, stream names, and grouping values directly into HTML via <code>innerHTML</code> in <code>parseNode()</code> and <code>parseEdge()</code> without sanitization at any layer. An authenticated user with topology submission rights could craft a topology containing malicious HTML/JavaScript in component identifiers (e.g., a bolt ID containing an <code>onerror</code> event handler). This payload flows through Nimbus \u2192 Thrift \u2192 the Visualization API \u2192 vis.js tooltip rendering, resulting in stored cross-site scripting.&nbsp;</p><p>In multi-tenant deployments where topology submission is available to less-trusted users but the UI is accessed by operators or administrators, this enables privilege escalation through script execution in an admin's browser session.</p>\n<p><strong>Mitigation:</strong>&nbsp;2.x users should upgrade to 2.8.6. Users who cannot upgrade immediately should monkey-patch the <code>parseNode()</code> and <code>parseEdge()</code> functions in the visualization JavaScript file to HTML-escape all API-supplied values including <code>nodeId</code>, <code>:capacity</code>, <code>:latency</code>, <code>:component</code>, <code>:stream</code>, and <code>:grouping</code>&nbsp;before interpolation into tooltip HTML strings, and should additionally restrict topology submission to trusted users via Nimbus ACLs as a defense-in-depth measure.&nbsp;A guide on how to do this is available in the release notes of 2.8.6.</p><b>Credit:</b> This issue was discovered while investigating another report by K.<br>"}], "value": "Stored Cross-Site Scripting (XSS) via Unsanitized Topology Metadata in Apache Storm UI\n\n\nVersions Affected: before 2.8.6\n\n\nDescription: The Storm UI visualization component interpolates topology metadata including component IDs, stream names, and grouping values directly into HTML via innerHTML in parseNode() and parseEdge() without sanitization at any layer. An authenticated user with topology submission rights could craft a topology containing malicious HTML/JavaScript in component identifiers (e.g., a bolt ID containing an onerror event handler). This payload flows through Nimbus \u2192 Thrift \u2192 the Visualization API \u2192 vis.js tooltip rendering, resulting in stored cross-site scripting.\u00a0\n\nIn multi-tenant deployments where topology submission is available to less-trusted users but the UI is accessed by operators or administrators, this enables privilege escalation through script execution in an admin's browser session.\n\n\nMitigation:\u00a02.x users should upgrade to 2.8.6. Users who cannot upgrade immediately should monkey-patch the parseNode() and parseEdge() functions in the visualization JavaScript file to HTML-escape all API-supplied values including nodeId, :capacity, :latency, :component, :stream, and :grouping\u00a0before interpolation into tooltip HTML strings, and should additionally restrict topology submission to trusted users via Nimbus ACLs as a defense-in-depth measure.\u00a0A guide on how to do this is available in the release notes of 2.8.6.\n\nCredit: This issue was discovered while investigating another report by K."}], "metrics": [{"other": {"content": {"text": "moderate"}, "type": "Textual description of severity"}}], "problemTypes": [{"descriptions": [{"cweId": "CWE-79", "description": "CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09", "shortName": "apache", "dateUpdated": "2026-04-13T09:10:17.367Z"}, "references": [{"tags": ["vendor-advisory"], "url": "https://storm.apache.org/2026/04/12/storm286-released.html"}], "source": {"discovery": "UNKNOWN"}, "title": "Apache Storm UI: Stored Cross-Site Scripting (XSS) via Unsanitized Topology Metadata in Storm UI", "x_generator": {"engine": "Vulnogram 0.2.0"}}, "adp": [{"title": "CVE Program Container", "references": [{"url": "http://www.openwall.com/lists/oss-security/2026/04/12/7"}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2026-04-13T09:40:05.298Z"}}, {"metrics": [{"cvssV3_1": {"scope": "CHANGED", "version": "3.1", "baseScore": 5.4, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "LOW"}}, {"other": {"type": "ssvc", "content": {"timestamp": "2026-04-13T14:09:39.740938Z", "id": "CVE-2026-35565", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-13T14:10:07.069Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CVE Program Container", "references": [{"url": "http://www.openwall.com/lists/oss-security/2026/04/12/7"}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2026-04-13T09:40:05.298Z"}}, {"title": "CISA ADP Vulnrichment", "metrics": [{"cvssV3_1": {"scope": "CHANGED", "version": "3.1", "baseScore": 5.4, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "LOW"}}, {"other": {"type": "ssvc", "content": {"id": "CVE-2026-35565", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-04-13T14:09:39.740938Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-13T14:08:56.950Z"}}], "cna": {"title": "Apache Storm UI: Stored Cross-Site Scripting (XSS) via Unsanitized Topology Metadata in Storm UI", "source": {"discovery": "UNKNOWN"}, "metrics": [{"other": {"type": "Textual description of severity", "content": {"text": "moderate"}}}], "affected": [{"vendor": "Apache Software Foundation", "product": "Apache Storm UI", "versions": [{"status": "affected", "version": "0", "lessThan": "2.8.6", "versionType": "semver"}], "packageName": "org.apache.storm:storm-webapp", "collectionURL": "https://repo.maven.apache.org/maven2/", "defaultStatus": "unaffected"}], "references": [{"url": "https://storm.apache.org/2026/04/12/storm286-released.html", "tags": ["vendor-advisory"]}], "x_generator": {"engine": "Vulnogram 0.2.0"}, "descriptions": [{"lang": "en", "value": "Stored Cross-Site Scripting (XSS) via Unsanitized Topology Metadata in Apache Storm UI\n\n\nVersions Affected: before 2.8.6\n\n\nDescription: The Storm UI visualization component interpolates topology metadata including component IDs, stream names, and grouping values directly into HTML via innerHTML in parseNode() and parseEdge() without sanitization at any layer. An authenticated user with topology submission rights could craft a topology containing malicious HTML/JavaScript in component identifiers (e.g., a bolt ID containing an onerror event handler). This payload flows through Nimbus \u2192 Thrift \u2192 the Visualization API \u2192 vis.js tooltip rendering, resulting in stored cross-site scripting.\u00a0\n\nIn multi-tenant deployments where topology submission is available to less-trusted users but the UI is accessed by operators or administrators, this enables privilege escalation through script execution in an admin's browser session.\n\n\nMitigation:\u00a02.x users should upgrade to 2.8.6. Users who cannot upgrade immediately should monkey-patch the parseNode() and parseEdge() functions in the visualization JavaScript file to HTML-escape all API-supplied values including nodeId, :capacity, :latency, :component, :stream, and :grouping\u00a0before interpolation into tooltip HTML strings, and should additionally restrict topology submission to trusted users via Nimbus ACLs as a defense-in-depth measure.\u00a0A guide on how to do this is available in the release notes of 2.8.6.\n\nCredit: This issue was discovered while investigating another report by K.", "supportingMedia": [{"type": "text/html", "value": "<p><strong>Stored Cross-Site Scripting (XSS) via Unsanitized Topology Metadata in Apache Storm UI</strong></p>\n<p><strong>Versions Affected:</strong> before 2.8.6</p>\n<p><strong>Description:</strong> The Storm UI visualization component interpolates topology metadata including component IDs, stream names, and grouping values directly into HTML via <code>innerHTML</code> in <code>parseNode()</code> and <code>parseEdge()</code> without sanitization at any layer. An authenticated user with topology submission rights could craft a topology containing malicious HTML/JavaScript in component identifiers (e.g., a bolt ID containing an <code>onerror</code> event handler). This payload flows through Nimbus \u2192 Thrift \u2192 the Visualization API \u2192 vis.js tooltip rendering, resulting in stored cross-site scripting.&nbsp;</p><p>In multi-tenant deployments where topology submission is available to less-trusted users but the UI is accessed by operators or administrators, this enables privilege escalation through script execution in an admin's browser session.</p>\n<p><strong>Mitigation:</strong>&nbsp;2.x users should upgrade to 2.8.6. Users who cannot upgrade immediately should monkey-patch the <code>parseNode()</code> and <code>parseEdge()</code> functions in the visualization JavaScript file to HTML-escape all API-supplied values including <code>nodeId</code>, <code>:capacity</code>, <code>:latency</code>, <code>:component</code>, <code>:stream</code>, and <code>:grouping</code>&nbsp;before interpolation into tooltip HTML strings, and should additionally restrict topology submission to trusted users via Nimbus ACLs as a defense-in-depth measure.&nbsp;A guide on how to do this is available in the release notes of 2.8.6.</p><b>Credit:</b> This issue was discovered while investigating another report by K.<br>", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-79", "description": "CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')"}]}], "providerMetadata": {"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09", "shortName": "apache", "dateUpdated": "2026-04-13T09:10:17.367Z"}}}, "cveMetadata": {"cveId": "CVE-2026-35565", "state": "PUBLISHED", "dateUpdated": "2026-04-13T14:10:07.069Z", "dateReserved": "2026-04-03T15:14:12.281Z", "assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09", "datePublished": "2026-04-13T09:10:17.367Z", "assignerShortName": "apache"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Stored Cross-Site Scripting (XSS) via Unsanitized Topology Metadata in Apache Storm UI\n\n\nVersions Affected: before 2.8.6\n\n\nDescription: The Storm UI visualization component interpolates topology metadata including component IDs, stream names, and grouping values directly into HTML via innerHTML in parseNode() and parseEdge() without sanitization at any layer. An authenticated user with topology submission rights could craft a topology containing malicious HTML/JavaScript in component identifiers (e.g., a bolt ID containing an onerror event handler). This payload flows through Nimbus \u2192 Thrift \u2192 the Visualization API \u2192 vis.js tooltip rendering, resulting in stored cross-site scripting.\u00a0\n\nIn multi-tenant deployments where topology submission is available to less-trusted users but the UI is accessed by operators or administrators, this enables privilege escalation through script execution in an admin's browser session.\n\n\nMitigation:\u00a02.x users should upgrade to 2.8.6. Users who cannot upgrade immediately should monkey-patch the parseNode() and parseEdge() functions in the visualization JavaScript file to HTML-escape all API-supplied values including nodeId, :capacity, :latency, :component, :stream, and :grouping\u00a0before interpolation into tooltip HTML strings, and should additionally restrict topology submission to trusted users via Nimbus ACLs as a defense-in-depth measure.\u00a0A guide on how to do this is available in the release notes of 2.8.6.\n\nCredit: This issue was discovered while investigating another report by K."}], "id": "CVE-2026-35565", "lastModified": "2026-04-13T15:17:33.953", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.3, "impactScore": 2.7, "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}, "published": "2026-04-13T10:16:11.770", "references": [{"source": "security@apache.org", "url": "https://storm.apache.org/2026/04/12/storm286-released.html"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "http://www.openwall.com/lists/oss-security/2026/04/12/7"}], "sourceIdentifier": "security@apache.org", "vulnStatus": "Awaiting Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "security@apache.org", "type": "Secondary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-13T11:20:55.283989+00:00", "value": {"mitigation_remediation": ["Upgrade Apache Storm UI to version 2.8.6 or later", "If an upgrade cannot be performed immediately, patch the parseNode() and parseEdge() functions in the visualization JavaScript file to HTML\u2011escape all API\u2011supplied values before inserting them into tooltip strings", "Enforce strict Nimbus ACLs to allow only trusted users to submit topologies, providing an additional defense in depth"], "summary": {"action": "Patch", "impact": "Stored Cross\u2011Site Scripting with privilege escalation"}, "threat_synthesis": {"affected_systems": "Apache Storm UI from the Apache Software Foundation is affected for all versions prior to 2.8.6. Only the UI component that renders topology metadata is impacted; the core Storm cluster remains unaffected unless an attacker also possesses UI access.", "description_and_impact": "The vulnerability allows an authenticated user with the right to submit topology definitions to insert malicious HTML or JavaScript into component identifiers. This data is stored and later rendered by the Storm UI visualization layer using innerHTML without any sanitization. As a result, when an operator or administrator views the affected topology, the embedded script executes in the browser session, compromising those higher\u2011privilege users. The impact is the ability to run arbitrary code in the context of administrators or operators, enabling credential theft, lateral movement, or further attacks on the underlying cluster.", "risk_and_exploitability": "The attack requires authentication to submit a topology and access to the UI, which is typically restricted to trusted users. No publicly available CVSS score or EPSS entry is listed, but the presence of a stored XSS and the potential for privilege escalation indicate a non\u2011negligible risk to systems where topology submission rights are granted to multiple tenants. The vulnerability is not listed in the CISA KEV catalog. Exposure depends on the current access controls in place; if operators can view any submitted topology, the risk is significantly higher."}}}}, "created": "2026-04-13T12:52:33.793175+00:00", "updated": "2026-04-13T12:52:33.793200+00:00", "vendors": []}