CVE-2026-55413

PUBLISHED

Published: 25 Jun 2026, 16:03

Last modified:25 Jun 2026, 18:01

Vulnerability Summary

Overall Risk (default)

high

70/100

CVSS Score

9.4 CRITICAL

v4.0 (cve.org)

EPSS Score

No data

KEV

Not listed

Ransomware

No reports

Public exploits

None found

Dark Web

Not detected

Timeline

25 Jun 2026, 16:03

Published

Vulnerability first disclosed

25 Jun 2026, 18:01

Last Modified

Vulnerability information updated

Description

ToolJet is the open-source foundation am AI-native platform for building and deploying internal tools, workflows and AI agents. Prior to 3.20.178-lts, any authenticated user with builder role (free tier) can overwrite a globally-shared marketplace plugin with arbitrary JavaScript that executes server-side with full Node.js access (require, process). The malicious code runs whenever any user on the instance triggers a query using that plugin — achieving both RCE and supply-chain compromise of the entire ToolJet deployment. This vulnerability is fixed in 3.20.178-lts.

CVSS Metrics

v4.0•CRITICAL•Score: 9.4CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H

Techniques & Countermeasures

CWE-94•Improper Control of Generation of Code ('Code Injection')
The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment.

Affected Systems

tooljet•tooljet
< 3.20.178-lts

References (1)

https://github.com/ToolJet/ToolJet/security/advisories/GHSA-jgmf-cw3v-r98x