Impact
The vulnerability lies in Appium's base-driver, which renders the throwError query parameter, comments POST field, and User-Agent header directly into the HTML of the /test/guinea-pig routes without escaping. This allows an attacker to inject malicious JavaScript that is reflected back to the client and executed within the context of the server origin, providing a vector for arbitrary code execution and potentially compromising users who interact with those pages. The weakness corresponds to CWE-79 (Cross‑Site Scripting) and CWE-489 (Improper Restriction of Possible Intrinsic Execution Context).
Affected Systems
All Appium deployments that use the default /test/guinea-pig, /test/guinea-pig-scrollable, and /test/guinea-pig-app-banner endpoints in a version prior to 10.7.0 are affected. This includes the open‑source Appium distribution and any enterprise builds that have not applied the fix available in 10.7.0. The impact is limited to requests sent to those specific test routes; the rest of the Appium server is unaffected.
Risk and Exploitability
With a CVSS score of 6.5 the vulnerability is considered moderate. The EPSS score is not available, and the vulnerability is not listed in CISA's KEV catalog. Attackers who can reach the Appium server can exploit the flaw by sending a crafted HTTP request to one of the unprotected test routes, causing the reflected payload to be executed on the server origin. Although no publicly known exploit exists yet, the nature of the vulnerability and the moderate risk warrant timely remediation.
OpenCVE Enrichment