Stored Cross-Site Scripting Vulnerability in Apache Storm UI
CVE-2026-35565

Currently unrated

Key Information:

Vendor: Apache
Status: Apache Storm Ui
Vendor: CVE Published:; 13 April 2026

What is CVE-2026-35565?

The Apache Storm UI is affected by a stored cross-site scripting vulnerability due to the interpolation of unsanitized topology metadata into HTML. This occurs notably in the parseNode() and parseEdge() functions where component IDs, stream names, and grouping values are directly rendered. An authenticated user with the rights to submit topologies can inject malicious HTML/JavaScript into identifiers, which then propagate through the system, allowing potential privilege escalation by executing scripts within an administrator's browser session. This poses a significant risk in multi-tenant environments where less-trusted users have the ability to affect the UI accessed by privileged accounts.

Affected Version(s)

Apache Storm UI 0 < 2.8.6

References

https://storm.apache.org/2026/04/12/storm286-released.html

vendor-advisory

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Apr 13, 2026
Vulnerability Reserved
Apr 3, 2026

CVE-2026-35565 Data

JSON