CVE-2026-7299
Appsmith SQL Query Editor Autocomplete XSS Vulnerability
Publication date: 2026-06-02
Last updated on: 2026-06-02
Assigner: CERT/CC
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| appsmith | appsmith | to 2.1 (exc) |
| appsmith | appsmith | to 1.98 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-UNKNOWN |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-7299 is a stored cross-site scripting (XSS) vulnerability in Appsmith's SQL query editor autocomplete feature. The issue arises because the autocomplete functionality fails to sanitize database object names before rendering them using innerHTML. An authenticated Developer with access to a shared datasource can create malicious table or column names containing JavaScript payloads. When other workspace members trigger the SQL autocomplete, the malicious code executes in their browsers, potentially hijacking sessions or escalating privileges.
The vulnerability specifically affects Appsmith versions prior to 2.1 and involves unsafe use of innerHTML in the CodeMirror-based SQL editor. The root cause is the lack of input sanitization and the use of innerHTML instead of safer text rendering methods. The issue was fixed by replacing innerHTML with textContent in the autocomplete renderer.
How can this vulnerability impact me? :
This vulnerability can lead to arbitrary code execution in the browsers of other workspace members when they use the SQL autocomplete feature. An attacker with developer-level access can inject malicious JavaScript that executes in victims' sessions.
- Session hijacking of affected users.
- Privilege escalation, especially if the victim has admin rights.
- Theft of datasource credentials or other sensitive information.
Successful exploitation requires developer access to the datasource and involves creating malicious table or column names. The impact is significant because it affects multiple users sharing the same datasource and can compromise their browser sessions.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability is a stored cross-site scripting (XSS) issue in Appsmith's SQL query editor autocomplete feature, triggered by malicious table or column names containing JavaScript payloads. Detection involves identifying if any database objects (tables or columns) have names containing suspicious or malicious script code.
Since the vulnerability requires developer-level access to a shared PostgreSQL datasource, you can inspect the database schema for unusual or suspicious object names that might contain script tags or JavaScript code.
Suggested commands to detect potential malicious database object names include querying the PostgreSQL information schema for table and column names containing suspicious patterns such as '<script>', 'javascript:', or other common XSS payload markers.
- Check for suspicious table names: SELECT table_name FROM information_schema.tables WHERE table_schema = 'public' AND table_name ILIKE '%<script>%';
- Check for suspicious column names: SELECT column_name, table_name FROM information_schema.columns WHERE table_schema = 'public' AND column_name ILIKE '%<script>%';
Additionally, monitor user activity for developers creating or modifying database objects with unusual names, and review logs or audit trails if available.
What immediate steps should I take to mitigate this vulnerability?
The primary and immediate mitigation step is to update Appsmith to version 2.1 or later, as this release includes a fix that replaces unsafe innerHTML usage with safe textContent rendering in the SQL autocomplete feature, preventing execution of malicious scripts.
Until the update can be applied, restrict developer-level access to shared datasources to trusted users only, to reduce the risk of malicious database object name injection.
Review and sanitize existing database object names to remove any potentially malicious scripts or HTML content.
Educate developers and workspace members about the risk of injecting malicious names and encourage safe naming conventions.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The vulnerability allows an authenticated developer to inject persistent cross-site scripting (XSS) payloads via malicious table or column names, which execute arbitrary code in other workspace members' sessions. This can lead to session hijacking, privilege escalation, and credential theft.
Such unauthorized access to user sessions and potential exposure of credentials can result in breaches of confidentiality and integrity of sensitive data, which are critical requirements under standards like GDPR and HIPAA.
Therefore, exploitation of this vulnerability could lead to non-compliance with data protection regulations that mandate safeguarding personal and sensitive information against unauthorized access and attacks.