Description
Appium is a cross-platform automation framework for all kinds of apps, built on top of the W3C WebDriver protocol. Prior to 10.7.0, Appium's base-driver unconditionally mounts the /test/guinea-pig, /test/guinea-pig-scrollable, and /test/guinea-pig-app-banner routes, and compileLodashTemplate reflects the throwError query parameter, comments POST field, and User-Agent request header into HTML without escaping, allowing reflected cross-site scripting and arbitrary JavaScript execution on the server origin. This issue is fixed in version 10.7.0.
Published: 2026-07-08
Score: 6.5 Medium
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability lies in Appium's base-driver, which renders the throwError query parameter, comments POST field, and User-Agent header directly into the HTML of the /test/guinea-pig routes without escaping. This allows an attacker to inject malicious JavaScript that is reflected back to the client and executed within the context of the server origin, providing a vector for arbitrary code execution and potentially compromising users who interact with those pages. The weakness corresponds to CWE-79 (Cross‑Site Scripting) and CWE-489 (Improper Restriction of Possible Intrinsic Execution Context).

Affected Systems

All Appium deployments that use the default /test/guinea-pig, /test/guinea-pig-scrollable, and /test/guinea-pig-app-banner endpoints in a version prior to 10.7.0 are affected. This includes the open‑source Appium distribution and any enterprise builds that have not applied the fix available in 10.7.0. The impact is limited to requests sent to those specific test routes; the rest of the Appium server is unaffected.

Risk and Exploitability

With a CVSS score of 6.5 the vulnerability is considered moderate. The EPSS score is not available, and the vulnerability is not listed in CISA's KEV catalog. Attackers who can reach the Appium server can exploit the flaw by sending a crafted HTTP request to one of the unprotected test routes, causing the reflected payload to be executed on the server origin. Although no publicly known exploit exists yet, the nature of the vulnerability and the moderate risk warrant timely remediation.

Generated by OpenCVE AI on July 9, 2026 at 03:55 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Appium to version 10.7.0 or later, which removes the vulnerable route handling.
  • If upgrade is not yet possible, disable or delete the /test/guinea-pig, /test/guinea-pig-scrollable, and /test/guinea-pig-app-banner endpoints by configuring the base-driver or editing the routing configuration.
  • Restrict network access to the Appium server so that only trusted internal hosts can reach the test routes, for example by placing the server behind a firewall or configuring host‑based access controls.

Generated by OpenCVE AI on July 9, 2026 at 03:55 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 08 Jul 2026 21:15:00 +0000

Type Values Removed Values Added
Description Appium is a cross-platform automation framework for all kinds of apps, built on top of the W3C WebDriver protocol. Prior to 10.7.0, Appium's base-driver unconditionally mounts the /test/guinea-pig, /test/guinea-pig-scrollable, and /test/guinea-pig-app-banner routes, and compileLodashTemplate reflects the throwError query parameter, comments POST field, and User-Agent request header into HTML without escaping, allowing reflected cross-site scripting and arbitrary JavaScript execution on the server origin. This issue is fixed in version 10.7.0.
Title Appium: Reflected XSS / arbitrary JS in @appium/base-driver /test/guinea-pig* routes
Weaknesses CWE-489
CWE-79
References
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N'}


Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-07-08T20:57:43.237Z

Reserved: 2026-06-29T17:09:25.871Z

Link: CVE-2026-58191

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-07-09T04:00:11Z

Weaknesses
  • CWE-489

    Active Debug Code

  • CWE-79

    Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')