CVE-2026-55413

UNKNOWN 0.0

ToolJet - Marketplace Plugin Poisoning Enables Instance-Wide Remote Code Execution

CVSS Score

0.0

EPSS Score

0.0%

EPSS Percentile

0th

ToolJet is the open-source foundation am AI-native platform for building and deploying internal tools, workflows and AI agents. Prior to 3.20.178-lts, any authenticated user with builder role (free tier) can overwrite a globally-shared marketplace plugin with arbitrary JavaScript that executes server-side with full Node.js access (require, process). The malicious code runs whenever any user on the instance triggers a query using that plugin — achieving both RCE and supply-chain compromise of the entire ToolJet deployment. This vulnerability is fixed in 3.20.178-lts.

CWE	CWE-94
Vendor	tooljet
Product	tooljet
Published	Jun 25, 2026
Last Updated	Jun 25, 2026

Stay Ahead of the Next One

Get instant alerts for tooljet tooljet

Be the first to know when new unknown vulnerabilities affecting tooljet tooljet are published — delivered to Slack, Telegram or Discord.

Get Free Alerts → Free · No credit card · 60 sec setup

Affected Versions

ToolJet / ToolJet

< 3.20.178-lts

References

NVD ↗ CVE.org ↗ EPSS Data ↗

github.com: https://github.com/ToolJet/ToolJet/security/advisories/GHSA-jgmf-cw3v-r98x