A stored cross‑site scripting flaw exists in the TableWidgetV2 component of Appsmith versions prior to 1.96. The flaw arises from missing HTML sanitization in the React rendering pipeline, allowing an attacker to inject malicious attributes that are rendered by browsers. When an ordinary user triggers the "Invite Users" functionality, the injected code causes a System Administrator to unknowingly execute a high‑privileged API call to "/api/v1/admin/env", leading to full administrative takeover. The vulnerability therefore combines a client‑side scripting defect (CWE‑79) with a privilege escalation outcome.

Appsmith platforms delivering admin panels, internal tools, or dashboards, specifically those manufactured by Appsmith.org and running any version earlier than 1.96. Users of TableWidgetV2 components in these deployments are at risk until the patch is applied.

The CVSS rating of 9.1 indicates a severe attack, and although the EPSS score is less than 1%, the workaround is straightforward for an attacker with a low‑privilege account. The vulnerability is not currently listed in CISA’s KEV catalog, but the chain of exploitation requires only access to the invite feature and a legitimate user session. Once the attacker supplies the malicious payload, no additional network access or credentials are needed beyond that of a regular user. The exploit path leverages cross‑site scripting in the client side to force a privileged API call, so an attacker can elevate privileges without elevating network privileges.