BIT-APPSMITH-2026-24042 Appsmith public apps can execute unpublished actions (viewMode confusion)

Appsmith is a platform to build admin panels, internal tools, and dashboards. In versions 1.94 and below, publicly accessible apps allow unauthenticated users to execute unpublished edit-mode actions by sending viewMode=false or omitting it to POST /api/v1/actions/execute. This bypasses the...

CVE-2026-24042

Appsmith is a platform to build admin panels, internal tools, and dashboards. In versions 1.94 and below, publicly accessible apps allow unauthenticated users to execute unpublished edit-mode actions by sending viewMode=false or omitting it to POST /api/v1/actions/execute. This bypasses the...

CVE-2026-24042

Appsmith is a platform to build admin panels, internal tools, and dashboards. In versions 1.94 and below, publicly accessible apps allow unauthenticated users to execute unpublished edit-mode actions by sending viewMode=false or omitting it to POST /api/v1/actions/execute. This bypasses the...

CVE-2026-24042

Appsmith is a platform to build admin panels, internal tools, and dashboards. In versions 1.94 and below, publicly accessible apps allow unauthenticated users to execute unpublished edit-mode actions by sending viewMode=false or omitting it to POST /api/v1/actions/execute. This bypasses the...

EUVD-2026-4221

Appsmith is a platform to build admin panels, internal tools, and dashboards. In versions 1.94 and below, publicly accessible apps allow unauthenticated users to execute unpublished edit-mode actions by sending viewMode=false or omitting it to POST /api/v1/actions/execute. This bypasses the...

CVE-2026-24042

Appsmith (versions 1.94 and below) exposes an unauthenticated risk where public apps can execute unpublished (edit-mode) actions by sending viewMode=false or omitting it to POST /api/v1/actions/execute. The underlying cause is viewMode handling that bypasses the publish boundary, allowing executi...

PT-2026-3916

Name of the Vulnerable Software and Affected Versions Appsmith versions 1.94 and below Description Appsmith is a platform used to build admin panels, internal tools, and dashboards. Publicly accessible applications in affected versions allow unauthenticated users to execute unpublished actions...

Appsmith security vulnerabilities

Appsmith is an open-source platform developed by Appsmith itself, used for building, deploying, and maintaining internal applications. Versions of Appsmith prior to 1.94 contained security vulnerabilities. These vulnerabilities allowed unauthenticated users to perform unpublished operations, whic...

EUVD-2017-3326

Malware in sbrugna...

EUVD-2025-4748

Malicious code in bioql PyPI...

Cross-site Scripting (XSS)

Overview DotNetNuke.Web is a provides references to core components such as Caching, Security and other security-related items for DNN Platform Affected versions of this package are vulnerable to Cross-site Scripting XSS via module actions when in edit mode. An attacker can execute scripts in the...

Cross-site Scripting (XSS)

Overview DotNetNuke.Core is a references provider to the DotNetNuke.dll to develop extensions for the DNN Platform. Affected versions of this package are vulnerable to Cross-site Scripting XSS via module actions when in edit mode. An attacker can execute scripts in the context of the user's brows...

GHSA-79M3-RVX2-3QQ9 Reflected Cross-Site Scripting (XSS) in module actions in edit mode

A specially crafted URL may be constructed which can inject an XSS payload that is triggered by using some module actions...

CVE-2025-48377 Dnn.Platform vulnerable to Reflected Cross-Site Scripting (XSS) in module actions in edit mode

DNN formerly DotNetNuke is an open-source web content management platform CMS in the Microsoft ecosystem. Prior to version 9.13.9, a specially crafted URL may be constructed which can inject an XSS payload that is triggered by using some module actions. Version 9.13.9 fixes the issue...

CVE-2023-46743

application-collabora is an integration of Collabora Online in XWiki. As part of the application use cases, depending on the rights that a user has over a document, they should be able to open the office attachments files in view or edit mode. Currently, if a user opens an attachment file in edit...

CVE-2025-24841

Movable Type contains a stored cross-site scripting vulnerability in the HTML edit mode of MT Block Editor. It is exploitable when TinyMCE6 is used as a rich text editor and an arbitrary script may be executed on a logged-in user's web browser...

CVE-2025-24841

Movable Type contains a stored cross-site scripting vulnerability in the HTML edit mode of MT Block Editor. It is exploitable when TinyMCE6 is used as a rich text editor and an arbitrary script may be executed on a logged-in user's web browser...

CVE-2025-24841

Movable Type contains a stored cross-site scripting vulnerability in the HTML edit mode of MT Block Editor. It is exploitable when TinyMCE6 is used as a rich text editor and an arbitrary script may be executed on a logged-in user's web browser...

CVE-2025-24841

CVE-2025-24841 — Movable Type contains a stored cross-site scripting vulnerability in the HTML edit mode of the MT Block Editor, exploitable when TinyMCE6 is used as the rich text editor. The issue allows arbitrary script execution in a logged-in user’s browser. Sources describe affected products...

VulnCheck KEV: CVE-2024-21413

Microsoft Outlook contains an improper input validation vulnerability that allows for remote code execution. Successful exploitation of this vulnerability would allow an attacker to bypass the Office Protected View and open in editing mode rather than protected mode...