CVE-2026-22794

Exploit

EPSS 0.39%
Veröffentlicht 12.01.2026 21:54:52
Zuletzt bearbeitet 21.01.2026 19:14:17
Quelle security-advisories@github.com
CVE-Watchlists
Login
Unerledigt
Login

Account Takeover Vulnerability in Appsmith

Appsmith is a platform to build admin panels, internal tools, and dashboards. Prior to 1.93, the server uses the Origin value from the request headers as the email link baseUrl without validation. If an attacker controls the Origin, password reset / email verification links in emails can be generated pointing to the attacker’s domain, causing authentication tokens to be exposed and potentially leading to account takeover. This vulnerability is fixed in 1.93.

Betroffene Produkte Warnungen 0 Metriken 3 CWE 1 Referenzen 5

NVD 1 VulnDex Vulnerability Enrichment 1

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

Appsmith ≫ Appsmith Version < 1.93

VulnDex Vulnerability Enrichment

Diese Information steht angemeldeten Benutzern zur Verfügung.

Zu dieser CVE wurde keine Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	0.39%	0.309

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
nvd@nist.gov	8.8	2.8	5.9	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
security-advisories@github.com	9.6	2.8	6	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H

CWE-346 Origin Validation Error

The product does not properly verify that the source of data or communication is valid.

https://github.com/appsmithorg/appsmith/security/advisories/GHSA-7hf5-mc28-xmcv

Vendor Advisory

Exploit

https://github.com/appsmithorg/appsmith/commit/6f9ee6226bac13fb4b836940b557913fff78b633

Patch

https://nvd.nist.gov/vuln/detail/CVE-2026-22794

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2026-22794

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2026-22794

EUVD

Team-orientierte Vulnerability Management Plattform

Features der Plattform

CVE-2026-22794