CVE-2026-7299

6.3 MEDIUM
Published: June 02, 2026 Modified: June 04, 2026
View on NVD

Description

Appsmith’s SQL query editor’s autocomplete functionality fails to sanitize database object names before rendering them in innerHTML, allowing an authenticated Developer to inject persistent XSS by a malicious table or column names triggering arbitrary code execution in the sessions of other workspace members when they interact with the same datasource.

AI Explanation

Get an AI-powered plain-language explanation of this vulnerability and remediation steps.

Login to generate AI explanation

CVSS v3.x Details

0.0 Low Medium High Critical 10.0
Vector String
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:L/A:N

References to Advisories, Solutions, and Tools

Patch Vendor Advisory Exploit Third Party Advisory
https://github.com/Stuub/Appsmith-1.98-Stored-XSS-Exploit
Source: cret@cert.org
Exploit Third Party Advisory
https://github.com/appsmithorg/appsmith/commit/99d69180919981ed9bc5484050d809a5bec68acc
Source: cret@cert.org
Patch
https://github.com/appsmithorg/appsmith/pull/41666
Source: cret@cert.org
Issue Tracking Patch Vendor Advisory
https://github.com/appsmithorg/appsmith/releases/tag/v2.1
Source: cret@cert.org
Release Notes
https://github.com/appsmithorg/appsmith/security/advisories/GHSA-vvxf-f8q9-86gh
Source: cret@cert.org
Vendor Advisory
https://www.kb.cert.org/vuls/id/265691
Source: af854a3a-2127-422b-91ae-364da2661108
Patch Third Party Advisory
https://github.com/Stuub/Appsmith-1.98-Stored-XSS-Exploit
Source: 134c704f-9b21-4f2e-91b3-4a467353bcc0
Exploit Third Party Advisory

7 reference(s) from NVD

Quick Stats

CVSS v3 Score
6.3 / 10.0
EPSS (Exploit Probability)
0.2%
16th percentile
Exploitation Status
Not in CISA KEV

Weaknesses (CWE)

CWE-79

Affected Vendors

appsmith

Related CVEs

CVE-2026-48777 N/A
CVE-2026-47750 7.8
CVE-2026-47747 7.8
CVE-2026-46448 5.4
CVE-2026-22313 9.1