CVE-2026-7299EPSS p15.5%

CVE-2026-7299CVE-2026-7299

appsmith / appsmith

Description

Appsmith’s SQL query editor’s autocomplete functionality fails to sanitize database object names before rendering them in innerHTML, allowing an authenticated Developer to inject persistent XSS by a malicious table or column names triggering arbitrary code execution in the sessions of other workspace members when they interact with the same datasource.

Scoring

CVSS 6.3 ()
VectorCVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:L/A:N
EPSS0.24% probability of exploitation · percentile 15.5% · 2026-06-19T12:03:05Z
Last modified2026-06-04

Related by meaning· 6

Nearest entities by semantic similarity across the cs-graph corpus.

CVE
CVE-2026-30862
CVE
CVE-2026-48299
CVE
CVE-2026-24042
CVE
CVE-2025-23176
CVE
CVE-2026-20947
CVE
CVE-2026-48297
Sourced from NVD + FIRST.org EPSS. Curated for EU compliance use cases by Adam Lundqvist, Founder at SQUR.