CVE Search Engine - Security Vulnerabilities and Exploits Search Tool

show all

138 matches found

CVE-2026-7299

Appsmith’s SQL query editor’s autocomplete functionality fails to sanitize database object names before rendering them in innerHTML, allowing an authenticated Developer to inject persistent XSS by a malicious table or column names triggering arbitrary code execution in the sessions of other...

6.3CVSS6.3AI score0.00039EPSS

Exploits2References1

NVD•added 4 days ago•6 views

CVE-2026-7299

6.3CVSS0.00039EPSS

Exploits2References6

EUVD•added 4 days ago•7 views

EUVD-2026-33936

6.3CVSS6.4AI score0.00039EPSS

Exploits2References5

CVE•added 4 days ago•6 views

CVE-2026-7299

Appsmith CVE-2026-7299 affects the SQL query editor autocomplete renderer, where unsanitized database object names rendered into innerHTML enable persistent XSS by a developer with access. This can execute arbitrary JavaScript in other workspace members’ sessions when interacting with the same da...

6.3CVSS6.4AI score0.00039EPSS

Exploits2References6Affected Software1

Vulnrichment•added 4 days ago•7 views

CVE-2026-7299 CVE-2026-7299

6.3CVSS6.4AI score0.00039EPSS

Exploits2References5

CERT•added 4 days ago•5 views

Appsmiths SQL Query autocomplete renderer contains a cross site scripting vulnerability

Overview A stored cross-site scripting XSS vulnerability has been discovered in Appsmith, specifically in the CodeMirror based SQL query editor’s autocomplete renderer. CVE-2026-7299 has been assigned to track the vulnerability. An attacker with developer level access to a shared PostgreSQL...

6.3CVSS6.2AI score0.00039EPSS

Exploits2References5

Github Security Blog•added 2026/04/29 8:59 p.m.•7 views

appsmith has SQL Injection in FilterDataService via Unsafe DROP TABLE Execution

Summary A SQL injection vulnerability exists in FilterDataServiceCE.java where the dropTable method constructs a SQL DROP TABLE statement using string concatenation with the table name. If the table name is derived from user input, this allows for arbitrary SQL command execution. Details The...

6.1AI score

Exploits0References3Affected Software1

OSV•added 2026/04/29 8:59 p.m.•3 views

GHSA-H8CJ-HPMG-636V appsmith has SQL Injection in FilterDataService via Unsafe DROP TABLE Execution

7.2CVSS6.1AI score

Exploits0References3

RedhatCVE•added 2026/04/03 11:2 p.m.•1 views

CVE-2026-5418

A vulnerability was identified in appsmithorg appsmith up to 1.97. Impacted is the function computeDisallowedHosts of the file app/server/appsmith-interfaces/src/main/java/com/appsmith/util/WebClientUtils.java of the component Dashboard. Such manipulation leads to server-side request forgery. The...

7.5CVSS6.6AI score0.00058EPSS

Exploits0References1

EUVD•added 2026/04/02 9:32 p.m.•0 views

EUVD-2026-18518

7.5CVSS6.6AI score0.00058EPSS

Exploits0References6

ATTACKERKB•added 2026/04/02 6:30 p.m.•0 views

CVE-2026-5418

7.5CVSS6.6AI score0.00058EPSS

Exploits0References5Affected Software1

CVE•added 2026/04/02 6:30 p.m.•6 views

CVE-2026-5418

The CVE affects appsmith.org Appsmith Dashboard up to version 1.97, specifically the computeDisallowedHosts function in WebClientUtils.java. The issue enables server-side request forgery (SSRF) and may be exploitable remotely; an exploit is publicly available. Mitigation provided in the sources i...

7.5CVSS6.6AI score0.00058EPSS

Exploits0References5

Cvelist•added 2026/04/02 6:30 p.m.•22 views

CVE-2026-5418 appsmithorg appsmith Dashboard WebClientUtils.java computeDisallowedHosts server-side request forgery

7.5CVSS0.00058EPSS

Exploits0References5

CNNVD•added 2026/04/02 12:0 a.m.•2 views

Appsmith 代码问题漏洞

Appsmith is an open-source platform developed by Appsmith for building, deploying, and maintaining internal applications. Versions of Appsmith 1.97 and earlier contained code vulnerabilities. These vulnerabilities stemmed from incorrect operations in the computeDisallowedHosts function of the...

7.5CVSS7.2AI score0.00058EPSS

Exploits0References5

OSV•added 2026/04/01 8:35 a.m.•2 views

BIT-APPSMITH-2026-34411 Appsmith < 1.98 Unauthenticated Instance Configuration Disclosure via Management APIs

Appsmith versions prior to 1.98 expose sensitive instance management API endpoints without authentication. Unauthenticated attackers can query endpoints like /api/v1/consolidated-api/view and /api/v1/tenants/current to retrieve configuration metadata, license information, and unsalted SHA-256...

6.9CVSS5.9AI score0.00033EPSS

Exploits1References3

GithubExploit•added 2026/03/31 2:2 a.m.•14 views

Exploit for CVE-2026-7299

CVE-2026-7299 - Appsmith 1.98 Stored XSS SQL Autocomplete inn...

6.3CVSS5.9AI score0.00039EPSS

Exploits2

EUVD•added 2026/03/27 6:31 p.m.•3 views

EUVD-2026-16721

6.9CVSS5.9AI score0.00033EPSS

Exploits1References3

Cvelist•added 2026/03/27 4:24 p.m.•18 views

CVE-2026-34411 Appsmith < 1.98 Unauthenticated Instance Configuration Disclosure via Management APIs

6.9CVSS0.00033EPSS

Exploits1References2

CVE•added 2026/03/27 4:24 p.m.•6 views

CVE-2026-34411

Affected product: Appsmith prior to version 1.98. Root cause: unauthenticated access to instance management API endpoints (/api/v1/consolidated-api/view, /api/v1/tenants/current) that exposes configuration metadata, license information, and unsalted SHA-256 hashes of admin email domains. Impact: ...

6.9CVSS5.9AI score0.00033EPSS

Exploits1References2Affected Software1

Vulnrichment•added 2026/03/27 4:24 p.m.•3 views

CVE-2026-34411 Appsmith < 1.98 Unauthenticated Instance Configuration Disclosure via Management APIs

6.9CVSS5.9AI score0.00033EPSS

Exploits1References2

Rows per page

Query Builder

Family

Bulletin Type

Min CVSS Score

Date

Order by