CVE-2026-55650

MEDIUMPre-NVD 4.44.4
EchelonGraph scoreHIGH confidence

Score 4.4 from GitHub Security Advisory published 2026-06-19. the CNA's CVSS baseline 4.4; sources differ by 0.0.

Triggered by: GitHub Security Advisory CVSS
Sources: cna:github_m, ghsa
4.4
EchelonGraph verdictMonitorLow exploitation likelihood right now — keep watching.
  • Lower severity and no public exploit yet
CISA-KEV: Not listedEPSS: CVSS: 4.4Exploit: NoneExposed: 0

No vendor fix yet — apply a workaround or compensating control (WAF / firewall / segmentation) and watch for a patch.

Outerbase Studio: Stored XSS in Text Widget Leads to Authentication Token Exposure

Summary

A Stored Cross-Site Scripting (XSS) issue previously existed in the Text Widget in Board of Outerbase Studio where unsanitized HTML could be rendered using dangerouslySetInnerHTML

Steps to Reproduce

  • Create a new dashboard.
  • Add a Text widget.
  • Insert the following payload:

Architectural Context

Outerbase Cloud and its backend services were discontinued in 2025.

The current version of Outerbase Studio operates purely as a client-side application, with dashboard data stored locally in the browser.

Impact

In the current architecture, the impact is limited to local self-XSS within a user's browser session. The previously described scenarios involving:

  • authentication token theft
  • account takeover
  • database access

are no longer applicable since there are no active backend services or authentication tokens.

Remediation

The unsafe HTML rendering in the Text Widget has been removed in commit https://github.com/outerbase/studio/commit/b06fb85e5967440278d5a815721b360920566ab9 by eliminating the use of dangerouslySetInnerHTML.

CVSS v3
4.4
EG Score
4.4(high)
EPSS
KEV
Not listed

Published

June 19, 2026

Last Modified

June 19, 2026

Vendor Advisories for CVE-2026-55650(1)

These vendors published their own advisory mentioning this CVE — often with vendor-specific remediation steps + affected product lists not in NVD.

Patch Availability(1)

Vendor / EcosystemFixed in / PatchReleasedSource
npm@outerbase/studioghsa

Patches are aggregated from vendor advisories (Red Hat, Microsoft, Cisco, GitHub) and package ecosystems (OSV, GHSA). Multiple rows for the same upstream release have been deduplicated.

Affected Packages

(1 across 1 ecosystem)
npm(1)
PackageVulnerable rangeFixed inDependents
@outerbase/studio

Weakness Classification(1)

MITRE Common Weakness Enumeration — the root-cause categories this CVE belongs to.

Data Freshness Timeline

(refreshed 14× in last 7d / 34× in last 30d)

Each row is a source pipeline that fetched or updated this CVE on that date, with what changed. For example, "NVD update" means NVD published or revised its analysis for this CVE; "MITRE cvelistV5" means we ingested or refreshed it from the CNA feed. Most recent first.

  1. 2026-07-06 17:45 UTCEG score recompute
  2. 2026-07-06 17:45 UTCGHSA enrichment
  3. 2026-07-05 16:23 UTCEG score recompute
  4. 2026-07-05 16:22 UTCGHSA enrichment
  5. 2026-07-04 14:56 UTCEG score recompute
  6. 2026-07-04 14:56 UTCGHSA enrichment
  7. 2026-07-03 13:42 UTCEG score recompute
  8. 2026-07-03 13:42 UTCGHSA enrichment
  9. 2026-07-02 12:28 UTCEG score recompute
  10. 2026-07-02 12:28 UTCGHSA enrichment
  11. 2026-07-01 11:14 UTCEG score recompute
  12. 2026-07-01 11:14 UTCGHSA enrichment
  13. 2026-06-30 10:00 UTCEG score recompute
  14. 2026-06-30 09:59 UTCGHSA enrichment
  15. 2026-06-29 08:39 UTCEG score recompute
  16. 2026-06-29 08:38 UTCGHSA enrichment
  17. 2026-06-28 07:22 UTCEG score recompute
  18. 2026-06-28 07:22 UTCGHSA enrichment
  19. 2026-06-27 06:08 UTCEG score recompute
  20. 2026-06-27 06:08 UTCGHSA enrichment
  21. 2026-06-26 04:54 UTCEG score recompute
  22. 2026-06-26 04:54 UTCGHSA enrichment
  23. 2026-06-25 03:39 UTCEG score recompute
  24. 2026-06-25 03:39 UTCGHSA enrichment
  25. 2026-06-24 02:23 UTCEG score recompute
Show 9 more
  1. 2026-06-24 02:23 UTCGHSA enrichment
  2. 2026-06-23 01:09 UTCEG score recompute
  3. 2026-06-23 01:09 UTCGHSA enrichment
  4. 2026-06-21 23:54 UTCEG score recompute
  5. 2026-06-21 23:54 UTCGHSA enrichment
  6. 2026-06-20 22:38 UTCEG score recompute
  7. 2026-06-20 22:37 UTCGHSA enrichment
  8. 2026-06-19 21:23 UTCEG score recompute
  9. 2026-06-19 21:23 UTCGHSA enrichment

Frequently asked(4)

What is CVE-2026-55650?
CVE-2026-55650 is a medium vulnerability published on June 19, 2026. Outerbase Studio: Stored XSS in Text Widget Leads to Authentication Token Exposure Summary A Stored Cross-Site Scripting (XSS) issue previously existed in the Text Widget in Board of Outerbase Studio where unsanitized HTML could be rendered using dangerouslySetInnerHTML Steps to Reproduce 1. Create…
When was CVE-2026-55650 disclosed?
CVE-2026-55650 was first published in the National Vulnerability Database on June 19, 2026. EchelonGraph re-ingests CVE updates from NVD on a 2-hour cycle, so this page reflects the latest published state.
What is the CVSS score of CVE-2026-55650?
CVE-2026-55650 has a CVSS v4.0 base score of 4.4 (CNA self-assessment; NVD's own analysis pending).
How do I remediate CVE-2026-55650?
Patch to the fixed version published by the affected vendor. Where vendor advisories exist for CVE-2026-55650, EchelonGraph cross-links them in the Vendor Advisories panel below — those typically contain the canonical remediation steps, fixed version numbers, and any vendor-specific mitigations.

Dependency Blast Radius

See which npm, PyPI, Go, and Maven packages are affected by CVE-2026-55650

Explore →

Is Your Infrastructure Affected by CVE-2026-55650?

EchelonGraph automatically scans your cloud infrastructure and maps CVE exposure using blast radius analysis.