Description
Appsmith’s SQL query editor’s autocomplete functionality fails to sanitize database object names before rendering them in innerHTML, allowing an authenticated Developer to inject persistent XSS by a malicious table or column names triggering arbitrary code execution in the sessions of other workspace members when they interact with the same datasource.
Published: 2026-06-02
Score: 6.3 Medium
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The bug lies in Appsmith’s SQL query editor autocomplete, which renders database object names into innerHTML without sanitization. An authenticated developer can create malicious table or column names that embed JavaScript. When another workspace member interacts with the same datasource, the stored script is executed in their browser, causing persistent cross‑site scripting that can compromise the confidentiality, integrity, and availability of the session.

Affected Systems

The vulnerability affects installations of Appsmith that are running versions prior to the v2.1 release referenced in the advisory. The issue was addressed in commit 99d6918 and the corresponding pull request, and is fixed in releases tagged v2.1 and later.

Risk and Exploitability

The CVSS score of 6.3 indicates a moderate severity. The exploit requires only that the attacker has a developer role with access to the SQL editor and the ability to create database objects. No network or privilege escalation barriers are noted, and the attack vector is local to the application. The EPSS score is not available, and the vulnerability is not listed in the CISA KEV catalog, suggesting it is not a widely leveraged public exploit, but the impact for affected workspaces remains significant.

Generated by OpenCVE AI on June 2, 2026 at 17:07 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Appsmith to the latest release (v2.1 or later) to apply the fix for the XSS vulnerability.
  • If an upgrade cannot be performed immediately, restrict developer users from creating or renaming database tables and columns with arbitrary names, or disable the SQL editor feature for untrusted users.
  • As a temporary measure, ensure that any table or column names entered through the editor are server‑side sanitized, escaping or removing characters that could form HTML or script tags before rendering the autocomplete suggestions.

Generated by OpenCVE AI on June 2, 2026 at 17:07 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 02 Jun 2026 17:30:00 +0000

Type Values Removed Values Added
Weaknesses CWE-79

Tue, 02 Jun 2026 17:00:00 +0000

Type Values Removed Values Added
First Time appeared Appsmith
Appsmith appsmith
Vendors & Products Appsmith
Appsmith appsmith

Tue, 02 Jun 2026 16:30:00 +0000

Type Values Removed Values Added
References

Tue, 02 Jun 2026 15:45:00 +0000

Type Values Removed Values Added
Description Appsmith’s SQL query editor’s autocomplete functionality fails to sanitize database object names before rendering them in innerHTML, allowing an authenticated Developer to inject persistent XSS by a malicious table or column names triggering arbitrary code execution in the sessions of other workspace members when they interact with the same datasource.
Title CVE-2026-7299
References
Metrics cvssV3_1

{'score': 6.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:L/A:N'}

Subscriptions

Appsmith Appsmith
cve-icon MITRE

Status: PUBLISHED

Assigner: certcc

Published:

Updated: 2026-06-02T15:23:03.693Z

Reserved: 2026-04-28T11:32:21.296Z

Link: CVE-2026-7299

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-06-02T16:16:45.557

Modified: 2026-06-02T17:35:24.027

Link: CVE-2026-7299

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-02T17:15:19Z

Weaknesses