Overview
A stored cross-site scripting (XSS) vulnerability has been discovered in Appsmith, specifically in the CodeMirror based SQL query editor’s autocomplete renderer. CVE-2026-7299 has been assigned to track the vulnerability. An attacker with developer level access to a shared PostgreSQL datasource can inject arbitrary JavaScript by creating malicious database objects whose names contain XSS payloads. Successful exploitation leads to arbitrary JavaScript execution in the browser of any workspace member who triggers SQL autocomplete, enabling session hijacking, privilege escalation, or credential theft. Version 2.1 of Appsmith fixes CVE-2026-7299.
Description
Appsmith is an open source, low code platform intended to allow developers to build internal tools, dashboards, and applications using a UI builder, database and API integrations, and JavaScript customization. Appsmith can also be deployable either self-hosted or via the cloud. A vulnerability, tracked as CVE-2026-7299, has been discovered, allowing for XSS within the SQL query editors autocomplete function.
The vulnerability description is below.
CVE-2026-7299
Appsmith’s SQL query editor’s autocomplete functionality fails to sanitize database object names before rendering them in innerHTML, allowing an authenticated Developer to inject persistent XSS by a malicious table or column names triggering arbitrary code execution in the sessions of other workspace members when they interact with the same datasource.
This vulnerability requires an account with developer access. A developer Appsmith account is an account designed to create, edit, and delete apps within a workspace they are assigned to. When an administrator opens the SQL editor and triggers autocomplete (e.g., by typing SELECT * FROM), the malicious table name executes their stored payload, which can allow for privesc.
Impact
Successful exploitation of CVE-2026-7299 leads to arbitrary code execution in the browser of any workspace member who triggers SQL autocomplete, enabling session hijacking, privilege escalation, or credential theft.
Solution
Version 2.1 of Appsmith fixes this vulnerability. Users should update their installations as soon as possible.
Acknowledgements
Thanks to the reporter, Stuart Beck. This document was written by Christopher Cullen.vrf26-04-DQBSN_exploit.py
Vendor Information
References
- https://github.com/appsmithorg/appsmith/security/advisories/GHSA-vjfq-fvfc-3vjw
- https://github.com/Stuub/Appsmith-1.98-Stored-XSS-Exploit
- https://github.com/appsmithorg/appsmith/pull/41666
- https://github.com/appsmithorg/appsmith/releases/tag/v2.1
- https://github.com/appsmithorg/appsmith/commit/99d69180919981ed9bc5484050d809a5bec68acc
Other Information
| CVE IDs: | CVE-2026-7299 |
| API URL: | VINCE JSON | CSAF |
| Date Public: | 2026-06-02 |
| Date First Published: | 2026-06-02 |
| Date Last Updated: | 2026-06-02 14:06 UTC |
| Document Revision: | 1 |