6.3

CVE-2026-7299

Medienbericht
Exploit

CVE-2026-7299

Appsmith’s SQL query editor’s autocomplete functionality fails to sanitize database object names before rendering them in innerHTML, allowing an authenticated Developer to inject persistent XSS by a malicious table or column names triggering arbitrary code execution in the sessions of other workspace members when they interact with the same datasource.
Daten sind bereitgestellt durch National Vulnerability Database (NVD)
AppsmithAppsmith Version < 1.99
VulnDex Vulnerability Enrichment
Diese Information steht angemeldeten Benutzern zur Verfügung. Login Login
Zu dieser CVE wurde keine Warnung gefunden.
EPSS Metriken
Typ Quelle Score Percentile
EPSS FIRST.org 0.34% 0.258
CVSS Metriken
Quelle Base Score Exploit Score Impact Score Vector String
nvd@nist.gov 5.4 2.3 2.7
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
cret@cert.org 6.3 2.1 4.2
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:L/A:N
CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.

Für Zugriff zu Vulnerability Intelligence ist ein VulnDex Zugang erforderlich.
VulnDex Intel
Media Report
08.06.2026 16:25
https://github.com/appsmithorg/appsmith/security/advisories/GHSA-vvxf-f8q9-86gh
Vendor Advisory
https://github.com/appsmithorg/appsmith/pull/41666
Patch
Vendor Advisory
Issue Tracking
https://github.com/Stuub/Appsmith-1.98-Stored-XSS-Exploit
Third Party Advisory
Exploit
https://github.com/appsmithorg/appsmith/releases/tag/v2.1
Release Notes
https://github.com/appsmithorg/appsmith/commit/99d69180919981ed9bc5484050d809a5bec68acc
Patch
https://www.kb.cert.org/vuls/id/265691
Patch
Third Party Advisory