Appsmith’s SQL query editor’s autocomplete functionality fails to sanitize database object names before rendering them in innerHTML, allowing an authenticated Developer to inject persistent XSS by a malicious table or column names triggering arbitrary code execution in the sessions of other workspace members when they interact with the same datasource.

Metrics

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact High

Integrity Impact Low

Availability Impact None

User Interaction Required

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

No EPSS score available.

Key SSVC decision points have not yet been added.

Affected Vendors & Products

No data.

No data.

No data.

No data.

References
Link Providers
https://github.com/Stuub/Appsmith-1.98-Stored-XSS-Exploit cve-icon
https://github.com/appsmithorg/appsmith/commit/99d69180919981ed9bc5484050d809a5bec68acc cve-icon
https://github.com/appsmithorg/appsmith/pull/41666 cve-icon
https://github.com/appsmithorg/appsmith/releases/tag/v2.1 cve-icon
https://github.com/appsmithorg/appsmith/security/advisories/GHSA-vvxf-f8q9-86gh cve-icon
History

Tue, 02 Jun 2026 15:45:00 +0000

Type Values Removed Values Added
Description Appsmith’s SQL query editor’s autocomplete functionality fails to sanitize database object names before rendering them in innerHTML, allowing an authenticated Developer to inject persistent XSS by a malicious table or column names triggering arbitrary code execution in the sessions of other workspace members when they interact with the same datasource.
Title CVE-2026-7299
References
Metrics cvssV3_1

{'score': 6.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:L/A:N'}
cve-icon MITRE

Status: PUBLISHED

Assigner: certcc

Published:

Updated: 2026-06-02T15:23:03.693Z

Reserved: 2026-04-28T11:32:21.296Z

Link: CVE-2026-7299

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

No data.