CVE Search Engine - Security Vulnerabilities and Exploits Search Tool

show all

141 matches found

OSV•added 2026/06/12 6:28 p.m.•8 views

GHSA-J9GF-VW2F-9HRW Appsmith: Configuration-dependent origin validation bypass in password reset and email verification link generation

Summary A configuration-dependent origin validation bypass was identified in Appsmith’s password reset and email verification flows on current release. Both flows derive the email-link base URL from the request Origin header. The current validation only enforces a trusted base URL when...

8.1CVSS5.6AI score

Exploits0References3

OSV•added 2026/06/12 6:27 p.m.•9 views

GHSA-9WCP-79G5-5C3C Appsmith Super User Creation Race Condition Allows Multiple Instance Administrators

Summary The /api/v1/users/super endpoint enforces a restriction that only one super user Instance Administrator can be created during initial setup. However, due to a Time-of-Check-Time-of-Use TOCTOU race condition in the signupAndLoginSuper method, concurrent requests can bypass this restriction...

8.1CVSS5.4AI score

Exploits0References3

RedhatCVE•added 2026/06/05 7:39 p.m.•7 views

CVE-2026-7299

Appsmith’s SQL query editor’s autocomplete functionality fails to sanitize database object names before rendering them in innerHTML, allowing an authenticated Developer to inject persistent XSS by a malicious table or column names triggering arbitrary code execution in the sessions of other...

6.3CVSS6.3AI score0.00245EPSS

Exploits2References1

NVD•added 2026/06/02 4:16 p.m.•8 views

CVE-2026-7299

6.3CVSS0.00245EPSS

Exploits2References6

EUVD•added 2026/06/02 2:7 p.m.•11 views

EUVD-2026-33936

6.3CVSS6.4AI score0.00245EPSS

Exploits2References5

CVE•added 2026/06/02 2:7 p.m.•12 views

CVE-2026-7299

Appsmith CVE-2026-7299 affects the SQL query editor autocomplete renderer, where unsanitized database object names rendered into innerHTML enable persistent XSS by a developer with access. This can execute arbitrary JavaScript in other workspace members’ sessions when interacting with the same da...

6.3CVSS6.4AI score0.00245EPSS

Exploits2References6Affected Software1

Vulnrichment•added 2026/06/02 2:7 p.m.•8 views

CVE-2026-7299 CVE-2026-7299

6.3CVSS6.4AI score0.00245EPSS

Exploits2References5

CNNVD•added 2026/06/02 12:0 a.m.•3 views

Appsmith 安全漏洞

Appsmith is an open-source platform developed by Appsmith itself, used for building, deploying, and maintaining internal applications. Appsmith has a security vulnerability, which stems from the autocompletion feature of the SQL query editor failing to clean up database object names. This...

6.3CVSS5.6AI score0.00245EPSS

Exploits2References6

CERT•added 2026/06/02 12:0 a.m.•8 views

Appsmiths SQL Query autocomplete renderer contains a cross site scripting vulnerability

Overview A stored cross-site scripting XSS vulnerability has been discovered in Appsmith, specifically in the CodeMirror based SQL query editor’s autocomplete renderer. CVE-2026-7299 has been assigned to track the vulnerability. An attacker with developer level access to a shared PostgreSQL...

6.3CVSS6.2AI score0.00245EPSS

Exploits2References5

OSV•added 2026/04/29 8:59 p.m.•4 views

GHSA-H8CJ-HPMG-636V appsmith has SQL Injection in FilterDataService via Unsafe DROP TABLE Execution

Summary A SQL injection vulnerability exists in FilterDataServiceCE.java where the dropTable method constructs a SQL DROP TABLE statement using string concatenation with the table name. If the table name is derived from user input, this allows for arbitrary SQL command execution. Details The...

7.2CVSS6.1AI score

Exploits0References3

Github Security Blog•added 2026/04/29 8:59 p.m.•7 views

appsmith has SQL Injection in FilterDataService via Unsafe DROP TABLE Execution

6.1AI score

Exploits0References3Affected Software1

RedhatCVE•added 2026/04/03 11:2 p.m.•1 views

CVE-2026-5418

A vulnerability was identified in appsmithorg appsmith up to 1.97. Impacted is the function computeDisallowedHosts of the file app/server/appsmith-interfaces/src/main/java/com/appsmith/util/WebClientUtils.java of the component Dashboard. Such manipulation leads to server-side request forgery. The...

7.5CVSS6.6AI score0.00303EPSS

Exploits0References1

EUVD•added 2026/04/02 9:32 p.m.•2 views

EUVD-2026-18518

7.5CVSS6.6AI score0.00303EPSS

Exploits0References6

Cvelist•added 2026/04/02 6:30 p.m.•25 views

CVE-2026-5418 appsmithorg appsmith Dashboard WebClientUtils.java computeDisallowedHosts server-side request forgery

7.5CVSS0.00303EPSS

Exploits0References5

CVE•added 2026/04/02 6:30 p.m.•9 views

CVE-2026-5418

The CVE affects appsmith.org Appsmith Dashboard up to version 1.97, specifically the computeDisallowedHosts function in WebClientUtils.java. The issue enables server-side request forgery (SSRF) and may be exploitable remotely; an exploit is publicly available. Mitigation provided in the sources i...

7.5CVSS6.6AI score0.00303EPSS

Exploits0References5

ATTACKERKB•added 2026/04/02 6:30 p.m.•0 views

CVE-2026-5418

7.5CVSS6.6AI score0.00303EPSS

Exploits0References5Affected Software1

CNNVD•added 2026/04/02 12:0 a.m.•5 views

Appsmith 代码问题漏洞

Appsmith is an open-source platform developed by Appsmith for building, deploying, and maintaining internal applications. Versions of Appsmith 1.97 and earlier contained code vulnerabilities. These vulnerabilities stemmed from incorrect operations in the computeDisallowedHosts function of the...

7.5CVSS7.2AI score0.00303EPSS

Exploits0References5

OSV•added 2026/04/01 8:35 a.m.•3 views

BIT-APPSMITH-2026-34411 Appsmith < 1.98 Unauthenticated Instance Configuration Disclosure via Management APIs

Appsmith versions prior to 1.98 expose sensitive instance management API endpoints without authentication. Unauthenticated attackers can query endpoints like /api/v1/consolidated-api/view and /api/v1/tenants/current to retrieve configuration metadata, license information, and unsalted SHA-256...

6.9CVSS5.9AI score0.00387EPSS

Exploits1References3