CVE-2026-55413
CriticalCVSS 9.4Exploitation Probability (EPSS)
Low risk17th percentile — higher than 17% of all known CVEs
Summary
In ToolJet prior to version 3.20.178-lts, any authenticated user with builder role (free tier) could overwrite a globally-shared marketplace plugin with arbitrary JavaScript that executed server-side with full Node.js access. The malicious code ran whenever any user on the instance triggered a query using that plugin, leading to remote code execution (RCE) and supply-chain compromise of the entire ToolJet deployment.
Risk Assessment
The organization is exposed to remote code execution and potential compromise of the entire ToolJet environment, which may lead to data loss and security breaches.
Recommendation
It is recommended to upgrade to version 3.20.178-lts or later to mitigate this vulnerability and to conduct a security audit of existing plugins.
Original NVD description (English source)
ToolJet is the open-source foundation am AI-native platform for building and deploying internal tools, workflows and AI agents. Prior to 3.20.178-lts, any authenticated user with builder role (free tier) can overwrite a globally-shared marketplace plugin with arbitrary JavaScript that executes server-side with full Node.js access (require, process). The malicious code runs whenever any user on the instance triggers a query using that plugin — achieving both RCE and supply-chain compromise of the entire ToolJet deployment. This vulnerability is fixed in 3.20.178-lts.

