Stuub/Appsmith-1.98-Stored-XSS-Exploit

Releases0

Stars1

Automating the exploitation of CVE-2026-7299 - Stored XSS via Database Table/Column Names in SQL Autocomplete within Appsmith =>1.99. Initial discovery 30/03/26

CVE History

CVE	Published	CVSS v3	CVSS v2
CVE-2026-7299 ↗	Jun 2, 2026Tuesday, 2 June 2026, 16:16	6.3 MEDIUM	—
Appsmith’s SQL query editor’s autocomplete functionality fails to sanitize database object names before rendering them in innerHTML, allowing an authenticated Developer to inject persistent XSS by a malicious table or column names triggering arbitrary code execution in the sessions of other workspace members when they interact with the same datasource.