Skip to main content

Appsmith CVE-2026-7299

| EUVD-2026-33936 MEDIUM
Cross-site Scripting (XSS) (CWE-79)
2026-06-02 certcc GHSA-6j63-xfwq-f8vj
XSS RCE Appsmith
6.3
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
6.3 MEDIUM
AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:L/A:N

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
Required
Scope
Unchanged
Confidentiality
High
Integrity
Low
Availability
None

Lifecycle Timeline

3
Patch available
Jun 02, 2026 - 17:01 EUVD
Source Code Evidence Fetched
Jun 02, 2026 - 16:03 vuln.today
Analysis Generated
Jun 02, 2026 - 16:03 vuln.today

DescriptionCVE.org

Appsmith’s SQL query editor’s autocomplete functionality fails to sanitize database object names before rendering them in innerHTML, allowing an authenticated Developer to inject persistent XSS by a malicious table or column names triggering arbitrary code execution in the sessions of other workspace members when they interact with the same datasource.

AnalysisAI

Stored XSS in Appsmith's SQL query editor autocomplete allows an authenticated Developer-role user to inject persistent malicious JavaScript via crafted database table or column names that are rendered unsanitized through innerHTML. When other workspace members interact with the same datasource's query editor, the injected script executes in their browser session, enabling session token theft and unauthorized actions with high confidentiality impact (CVSS C:H). …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts
Continue with Google Continue with GitHub

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Recon
Attacker obtains Developer role in Appsmith workspace
Delivery
Creates or modifies SQL datasource with malicious object name
Exploit
XSS payload persists in server-side schema metadata
Install
Victim opens SQL query editor on poisoned datasource
C2
Autocomplete renders object name via innerHTML unsanitized
Execute
Browser executes injected JavaScript in victim session
Impact
Session credentials exfiltrated to attacker
Sign in to reveal

Vulnerability AssessmentAI

Exploitation The attacker must hold at minimum a Developer role within the target Appsmith workspace, confirmed by the CVSS PR:L (low privilege required) indicator - unauthenticated exploitation is not possible. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 6.3 (Medium) vector AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:L/A:N accurately captures the network-reachable, low-complexity nature of the attack while acknowledging the two limiting factors: the attacker requires low-privilege (Developer) access (PR:L), and a victim must interact with the poisoned autocomplete (UI:R). … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker with Appsmith Developer role access connects a SQL datasource and renames a table or column to a JavaScript payload such as an image tag with an onerror handler that beacons the victim's session cookie to an attacker-controlled endpoint. When any other workspace member opens the SQL query editor and types in the query window - triggering autocomplete for that datasource - the browser renders the malicious object name via innerHTML, silently executing the payload and exfiltrating the victim's active session token. …
Remediation Upgrade to Appsmith v2.1 or later, referenced by the GitHub release tag at https://github.com/appsmithorg/appsmith/releases/tag/v2.1 and associated commit https://github.com/appsmithorg/appsmith/commit/99d69180919981ed9bc5484050d809a5bec68acc. … Detailed patch versions, workarounds, and compensating controls in full report.
Sign in to read full assessment

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-7299 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy