CVE-2026-7299 — CVE-2026-7299

Description

Appsmith’s SQL query editor’s autocomplete functionality fails to sanitize database object names before rendering them in innerHTML, allowing an authenticated Developer to inject persistent XSS by a malicious table or column names triggering arbitrary code execution in the sessions of other workspace members when they interact with the same datasource.

How to fix CVE-2026-7299

To remediate CVE-2026-7299, upgrade the affected package to a fixed version below.

Bitnami/appsmith—upgrade to 1.99.0 or later

Is CVE-2026-7299 being exploited?

No exploitation signal available. Neither CISA KEV nor a current EPSS score has been published for CVE-2026-7299.

Affected packages (1)

from 0, < 1.99.0

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	MEDIUM5.4	CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

References (7)

WEBgithub.com/appsmithorg/appsmith/commit/99d69180919981ed9bc5484050d809a5bec68acc
WEBgithub.com/appsmithorg/appsmith/pull/41666
WEBgithub.com/appsmithorg/appsmith/releases/tag/v2.1
WEBgithub.com/appsmithorg/appsmith/security/advisories/GHSA-vvxf-f8q9-86gh