{"vuid":"VU#265691","idnumber":"265691","name":"Appsmiths SQL Query autocomplete renderer contains a cross site scripting vulnerability","keywords":null,"overview":"### Overview\r\n\r\nA stored cross-site scripting (XSS) vulnerability has been discovered in Appsmith, specifically in the CodeMirror based SQL query editor’s autocomplete renderer. CVE-2026-7299 has been assigned to track the vulnerability. An attacker with developer level access to a shared PostgreSQL datasource can inject arbitrary JavaScript by creating malicious database objects whose names contain XSS payloads. Successful exploitation leads to arbitrary JavaScript execution in the browser of any workspace member who triggers SQL autocomplete, enabling session hijacking, privilege escalation, or credential theft. Version 2.1 of Appsmith fixes CVE-2026-7299. \r\n\r\n### Description\r\n\r\nAppsmith is an open source, low code platform intended to allow developers to build internal tools, dashboards, and applications using a UI builder, database and API integrations, and JavaScript customization. Appsmith can also be deployable either self-hosted or via the cloud. A vulnerability, tracked as CVE-2026-7299, has been discovered, allowing for XSS within the SQL query editors autocomplete function.\r\n\r\nThe vulnerability description is below. \r\n\r\n**CVE-2026-7299**\r\nAppsmith’s SQL query editor’s autocomplete functionality fails to sanitize database object names before rendering them in innerHTML, allowing an authenticated Developer to inject persistent XSS by a malicious table or column names triggering arbitrary code execution in the sessions of other workspace members when they interact with the same datasource.\r\n\r\nThis vulnerability requires an account with developer access. A developer Appsmith account is an account designed to create, edit, and delete apps within a workspace they are assigned to. When an administrator opens the SQL editor and triggers autocomplete (e.g., by typing SELECT * FROM), the malicious table name executes their stored payload, which can allow for privesc.\r\n\r\n### Impact\r\nSuccessful exploitation of CVE-2026-7299 leads to arbitrary code execution in the browser of any workspace member who triggers SQL autocomplete, enabling session hijacking, privilege escalation, or credential theft.\r\n\r\n### Solution\r\nVersion 2.1 of Appsmith fixes this vulnerability. Users should update their installations as soon as possible. \r\n\r\n### Acknowledgements\r\nThanks to the reporter, Stuart Beck. This document was written by Christopher Cullen.[vrf26-04-DQBSN_exploit.py](/vince/comm/attachments/track/d6b93445-31a5-4fcd-9fdc-1101b859df15)","clean_desc":null,"impact":null,"resolution":null,"workarounds":null,"sysaffected":null,"thanks":null,"author":null,"public":["https://github.com/appsmithorg/appsmith/security/advisories/GHSA-vjfq-fvfc-3vjw","https://github.com/Stuub/Appsmith-1.98-Stored-XSS-Exploit","https://github.com/appsmithorg/appsmith/pull/41666","https://github.com/appsmithorg/appsmith/releases/tag/v2.1","https://github.com/appsmithorg/appsmith/commit/99d69180919981ed9bc5484050d809a5bec68acc"],"cveids":["CVE-2026-7299"],"certadvisory":null,"uscerttechnicalalert":null,"datecreated":"2026-06-02T14:06:35.812977Z","publicdate":"2026-06-02T14:06:35.662395Z","datefirstpublished":"2026-06-02T14:06:35.822520Z","dateupdated":"2026-06-02T14:06:35.662388Z","revision":1,"vrda_d1_directreport":null,"vrda_d1_population":null,"vrda_d1_impact":null,"cam_widelyknown":null,"cam_exploitation":null,"cam_internetinfrastructure":null,"cam_population":null,"cam_impact":null,"cam_easeofexploitation":null,"cam_attackeraccessrequired":null,"cam_scorecurrent":null,"cam_scorecurrentwidelyknown":null,"cam_scorecurrentwidelyknownexploited":null,"ipprotocol":null,"cvss_accessvector":null,"cvss_accesscomplexity":null,"cvss_authentication":null,"cvss_confidentialityimpact":null,"cvss_integrityimpact":null,"cvss_availabilityimpact":null,"cvss_exploitablity":null,"cvss_remediationlevel":null,"cvss_reportconfidence":null,"cvss_collateraldamagepotential":null,"cvss_targetdistribution":null,"cvss_securityrequirementscr":null,"cvss_securityrequirementsir":null,"cvss_securityrequirementsar":null,"cvss_basescore":null,"cvss_basevector":null,"cvss_temporalscore":null,"cvss_environmentalscore":null,"cvss_environmentalvector":null,"metric":null,"vulnote":201}