CVE-2026-55413: ToolJet is the open-source foundation am AI-native platform for building and deploying internal tools, workflows and AI
criticalvulnerability
security
Summary
ToolJet is an open-source platform for building internal tools and AI agents. Before version 3.20.178-lts, any authenticated user with a builder role could inject malicious JavaScript code into shared marketplace plugins, allowing them to execute commands on the server with full Node.js access (the ability to run any code the server can run). This malicious code would run whenever anyone on the system used that compromised plugin, compromising the entire ToolJet deployment.
Solution / Mitigation
Update ToolJet to version 3.20.178-lts or later, where this vulnerability is fixed.
Vulnerability Details
EPSS (30-day exploit probability)
EPSS: 0.0%
Disclosure Date
June 25, 2026
Classification
Attack Type
Supply Chain
Attack SophisticationModerate
Impact (CIA+S)
integrityconfidentiality
Taxonomy References
Affected Vendors
LangChain
Related Issues
Monthly digest — independent AI security research
Original source: https://nvd.nist.gov/vuln/detail/CVE-2026-55413
First tracked: June 25, 2026 at 02:11 PM
Classified by LLM (prompt v3) · confidence: 92%