9.6

CVE-2026-22794

Exploit

EPSS 0.02%
Veröffentlicht 12.01.2026 21:54:52
Zuletzt bearbeitet 21.01.2026 19:14:17
Quelle security-advisories@github.com
CVE-Watchlists
Login
Unerledigt
Login

Appsmith is a platform to build admin panels, internal tools, and dashboards. Prior to 1.93, the server uses the Origin value from the request headers as the email link baseUrl without validation. If an attacker controls the Origin, password reset / email verification links in emails can be generated pointing to the attacker’s domain, causing authentication tokens to be exposed and potentially leading to account takeover. This vulnerability is fixed in 1.93.

Betroffene Produkte Warnungen 0 Metriken 3 CWE 1 Referenzen 5

Verknüpft mit AI von unstrukturierten Daten zu bestehenden CPE der NVD

Diese Information steht angemeldeten Benutzern zur Verfügung.

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

Appsmith ≫ Appsmith Version < 1.93

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	0.02%	0.032

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
nvd@nist.gov	8.8	2.8	5.9	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
security-advisories@github.com	9.6	2.8	6	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H

CWE-346 Origin Validation Error

The product does not properly verify that the source of data or communication is valid.

https://github.com/appsmithorg/appsmith/security/advisories/GHSA-7hf5-mc28-xmcv

Vendor Advisory

Exploit

https://github.com/appsmithorg/appsmith/commit/6f9ee6226bac13fb4b836940b557913fff78b633

Patch

https://nvd.nist.gov/vuln/detail/CVE-2026-22794

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2026-22794

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2026-22794

EUVD