CVE-2026-7299

Published
View on NVD ↗
CVSS v3
6.3
MEDIUM
CVSS v2
N/A
Affected
2
PROJECTS

Description

Appsmith’s SQL query editor’s autocomplete functionality fails to sanitize database object names before rendering them in innerHTML, allowing an authenticated Developer to inject persistent XSS by a malicious table or column names triggering arbitrary code execution in the sessions of other workspace members when they interact with the same datasource.

appsmithorg/appsmith
appsmithorg/appsmith
Platform to build admin panels, internal tools, and dashboards. Integrates with 25+ databases and any API.
GitHubGitHub
40K
Stuub/Appsmith-1.98-Stored-XSS-Exploit
Stuub/Appsmith-1.98-Stored-XSS-Exploit
Automating the exploitation of CVE-2026-7299 - Stored XSS via Database Table/Column Names in SQL Autocomplete within Appsmith =>1.99. Initial discovery 30/03/26
GitHubGitHub
1