CVE-2026-7299
Analyzed Analyzed - Analysis Complete
Appsmith SQL Query Editor Autocomplete XSS Vulnerability

Publication date: 2026-06-02

Last updated on: 2026-06-04

Assigner: CERT/CC

Description
Appsmith’s SQL query editor’s autocomplete functionality fails to sanitize database object names before rendering them in innerHTML, allowing an authenticated Developer to inject persistent XSS by a malicious table or column names triggering arbitrary code execution in the sessions of other workspace members when they interact with the same datasource.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-02
Last Modified
2026-06-04
Generated
2026-06-22
AI Q&A
2026-06-02
EPSS Evaluated
2026-06-21
NVD
CVE-2026-7299
EUVD
EUVD-2026-33936
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
appsmith appsmith to 1.99 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-79 The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-7299 is a stored cross-site scripting (XSS) vulnerability in Appsmith's SQL query editor autocomplete feature. The issue arises because the autocomplete functionality fails to sanitize database object names before rendering them using innerHTML. An authenticated Developer with access to a shared datasource can create malicious table or column names containing JavaScript payloads. When other workspace members trigger the SQL autocomplete, the malicious code executes in their browsers, potentially hijacking sessions or escalating privileges.

The vulnerability specifically affects Appsmith versions prior to 2.1 and involves unsafe use of innerHTML in the CodeMirror-based SQL editor. The root cause is the lack of input sanitization and the use of innerHTML instead of safer text rendering methods. The issue was fixed by replacing innerHTML with textContent in the autocomplete renderer.

Compliance Impact

The vulnerability allows an authenticated developer to inject persistent cross-site scripting (XSS) payloads via malicious table or column names, which execute arbitrary code in other workspace members' sessions. This can lead to session hijacking, privilege escalation, and credential theft.

Such unauthorized access to user sessions and potential exposure of credentials can result in breaches of confidentiality and integrity of sensitive data, which are critical requirements under standards like GDPR and HIPAA.

Therefore, exploitation of this vulnerability could lead to non-compliance with data protection regulations that mandate safeguarding personal and sensitive information against unauthorized access and attacks.

Impact Analysis

This vulnerability can lead to arbitrary code execution in the browsers of other workspace members when they use the SQL autocomplete feature. An attacker with developer-level access can inject malicious JavaScript that executes in victims' sessions.

  • Session hijacking of affected users.
  • Privilege escalation, especially if the victim has admin rights.
  • Theft of datasource credentials or other sensitive information.

Successful exploitation requires developer access to the datasource and involves creating malicious table or column names. The impact is significant because it affects multiple users sharing the same datasource and can compromise their browser sessions.

Detection Guidance

This vulnerability is a stored cross-site scripting (XSS) issue in Appsmith's SQL query editor autocomplete feature, triggered by malicious table or column names containing JavaScript payloads. Detection involves identifying if any database objects (tables or columns) have names containing suspicious or malicious script code.

Since the vulnerability requires developer-level access to a shared PostgreSQL datasource, you can inspect the database schema for unusual or suspicious object names that might contain script tags or JavaScript code.

Suggested commands to detect potential malicious database object names include querying the PostgreSQL information schema for table and column names containing suspicious patterns such as '<script>', 'javascript:', or other common XSS payload markers.

  • Check for suspicious table names: SELECT table_name FROM information_schema.tables WHERE table_schema = 'public' AND table_name ILIKE '%<script>%';
  • Check for suspicious column names: SELECT column_name, table_name FROM information_schema.columns WHERE table_schema = 'public' AND column_name ILIKE '%<script>%';

Additionally, monitor user activity for developers creating or modifying database objects with unusual names, and review logs or audit trails if available.

Mitigation Strategies

The primary and immediate mitigation step is to update Appsmith to version 2.1 or later, as this release includes a fix that replaces unsafe innerHTML usage with safe textContent rendering in the SQL autocomplete feature, preventing execution of malicious scripts.

Until the update can be applied, restrict developer-level access to shared datasources to trusted users only, to reduce the risk of malicious database object name injection.

Review and sanitize existing database object names to remove any potentially malicious scripts or HTML content.

Educate developers and workspace members about the risk of injecting malicious names and encourage safe naming conventions.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-7299. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart