CVE Catalog

CVE-2026-55413

CriticalCVSS 9.4
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Low risk
0.26%

17th percentile — higher than 17% of all known CVEs

Summary

In ToolJet prior to version 3.20.178-lts, any authenticated user with builder role (free tier) could overwrite a globally-shared marketplace plugin with arbitrary JavaScript that executed server-side with full Node.js access. The malicious code ran whenever any user on the instance triggered a query using that plugin, leading to remote code execution (RCE) and supply-chain compromise of the entire ToolJet deployment.

Risk Assessment

The organization is exposed to remote code execution and potential compromise of the entire ToolJet environment, which may lead to data loss and security breaches.

Recommendation

It is recommended to upgrade to version 3.20.178-lts or later to mitigate this vulnerability and to conduct a security audit of existing plugins.

Original NVD description (English source)

ToolJet is the open-source foundation am AI-native platform for building and deploying internal tools, workflows and AI agents. Prior to 3.20.178-lts, any authenticated user with builder role (free tier) can overwrite a globally-shared marketplace plugin with arbitrary JavaScript that executes server-side with full Node.js access (require, process). The malicious code runs whenever any user on the instance triggers a query using that plugin — achieving both RCE and supply-chain compromise of the entire ToolJet deployment. This vulnerability is fixed in 3.20.178-lts.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS