Bitnami package
appsmith
pkg:bitnami/appsmith
Vulnerabilities (14)
| CVE | Sev | CVSS | KEV | Affected versions | Fixed in | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2026-34411 | Med | 5.3 | < 1.98.0 | 1.98.0 | Mar 27, 2026 | Appsmith versions prior to 1.98 expose sensitive instance management API endpoints without authentication. Unauthenticated attackers can query endpoints like /api/v1/consolidated-api/view and /api/v1/tenants/current to retrieve configuration metadata, license information, and uns | |
| CVE-2026-30862 | — | < 1.96.0 | 1.96.0 | Mar 9, 2026 | Appsmith is a platform to build admin panels, internal tools, and dashboards. Prior to 1.96, a Critical Stored XSS vulnerability exists in the Table Widget (TableWidgetV2). The root cause is a lack of HTML sanitization in the React component rendering pipeline, allowing malicious | ||
| CVE-2026-24042 | — | < 1.95.0 | 1.95.0 | Jan 22, 2026 | Appsmith is a platform to build admin panels, internal tools, and dashboards. In versions 1.94 and below, publicly accessible apps allow unauthenticated users to execute unpublished (edit-mode) actions by sending viewMode=false (or omitting it) to POST /api/v1/actions/execute. Th | ||
| CVE-2026-22794 | — | < 1.93.0 | 1.93.0 | Jan 12, 2026 | Appsmith is a platform to build admin panels, internal tools, and dashboards. Prior to 1.93, the server uses the Origin value from the request headers as the email link baseUrl without validation. If an attacker controls the Origin, password reset / email verification links in em | ||
| CVE-2025-41240 | Cri | 10.0 | >= 1.62.0-0, < 1.81.0-1 | 1.81.0-1 | Jul 24, 2025 | Three Bitnami Helm charts mount Kubernetes Secrets under a predictable path (/opt/bitnami/*/secrets) that is located within the web server document root. In affected versions, this can lead to unauthenticated access to sensitive credentials via HTTP/S. A remote attacker could ret | |
| CVE-2024-55965 | — | < 1.51.0 | 1.51.0 | Mar 26, 2025 | An issue was discovered in Appsmith before 1.51. Users invited as "App Viewer" incorrectly have access to development information of a workspace (specifically, a list of datasources in a workspace they're a member of). This information disclosure does not expose sensitive data in | ||
| CVE-2024-55964 | — | < 1.52.0 | 1.52.0 | Mar 26, 2025 | An issue was discovered in Appsmith before 1.52. An incorrectly configured PostgreSQL instance in the Appsmith image leads to remote command execution inside the Appsmith Docker container. The attacker must be able to access Appsmith, login to it, create a datasource, create a qu | ||
| CVE-2024-55963 | — | < 1.51.0 | 1.51.0 | Mar 26, 2025 | An issue was discovered in Appsmith before 1.51. A user on Appsmith that doesn't have admin permissions can trigger the restart API on Appsmith, causing a server restart. This is still within the Appsmith container, and the impact is limited to Appsmith's own server only, but the | ||
| CVE-2024-55604 | — | < 1.51.0 | 1.51.0 | Mar 25, 2025 | Appsmith is a platform to build admin panels, internal tools, and dashboards. Users invited as "App Viewer" should not have access to development information of a workspace. Datasources are such a component in a workspace. Yet, in versions of Appsmith prior to 1.51, app viewers a | ||
| CVE-2024-51408 | — | >= 1.8.3, < 1.46.0 | 1.46.0 | Nov 4, 2024 | AppSmith Community 1.8.3 before 1.46 allows SSRF via New DataSource for application/json requests to 169.254.169.254 to retrieve AWS metadata credentials. | ||
| CVE-2022-4096 | — | < 1.8.2 | 1.8.2 | Nov 21, 2022 | Server-Side Request Forgery (SSRF) in GitHub repository appsmithorg/appsmith prior to 1.8.2. | ||
| CVE-2022-38299 | — | >= 1.7.11, < 1.7.12 | 1.7.12 | Sep 12, 2022 | An issue in the Elasticsearch plugin of Appsmith v1.7.11 allows attackers to connect disallowed hosts to the AWS/GCP internal metadata endpoint. | ||
| CVE-2022-38298 | — | >= 1.7.11, < 1.7.12 | 1.7.12 | Sep 12, 2022 | Appsmith v1.7.11 was discovered to allow attackers to execute an authenticated Server-Side Request Forgery (SSRF) via redirecting incoming requests to the AWS internal metadata endpoint. | ||
| CVE-2022-39824 | — | < 1.7.15 | 1.7.15 | Sep 5, 2022 | Server-side JavaScript injection in Appsmith through 1.7.14 allows remote attackers to execute arbitrary JavaScript code from the server via the currentItem property of the list widget, e.g., to perform DoS attacks or achieve an information leak. |
- affected < 1.98.0fixed 1.98.0
Appsmith versions prior to 1.98 expose sensitive instance management API endpoints without authentication. Unauthenticated attackers can query endpoints like /api/v1/consolidated-api/view and /api/v1/tenants/current to retrieve configuration metadata, license information, and uns
- CVE-2026-30862Mar 9, 2026affected < 1.96.0fixed 1.96.0
Appsmith is a platform to build admin panels, internal tools, and dashboards. Prior to 1.96, a Critical Stored XSS vulnerability exists in the Table Widget (TableWidgetV2). The root cause is a lack of HTML sanitization in the React component rendering pipeline, allowing malicious
- CVE-2026-24042Jan 22, 2026affected < 1.95.0fixed 1.95.0
Appsmith is a platform to build admin panels, internal tools, and dashboards. In versions 1.94 and below, publicly accessible apps allow unauthenticated users to execute unpublished (edit-mode) actions by sending viewMode=false (or omitting it) to POST /api/v1/actions/execute. Th
- CVE-2026-22794Jan 12, 2026affected < 1.93.0fixed 1.93.0
Appsmith is a platform to build admin panels, internal tools, and dashboards. Prior to 1.93, the server uses the Origin value from the request headers as the email link baseUrl without validation. If an attacker controls the Origin, password reset / email verification links in em
- affected >= 1.62.0-0, < 1.81.0-1fixed 1.81.0-1
Three Bitnami Helm charts mount Kubernetes Secrets under a predictable path (/opt/bitnami/*/secrets) that is located within the web server document root. In affected versions, this can lead to unauthenticated access to sensitive credentials via HTTP/S. A remote attacker could ret
- CVE-2024-55965Mar 26, 2025affected < 1.51.0fixed 1.51.0
An issue was discovered in Appsmith before 1.51. Users invited as "App Viewer" incorrectly have access to development information of a workspace (specifically, a list of datasources in a workspace they're a member of). This information disclosure does not expose sensitive data in
- CVE-2024-55964Mar 26, 2025affected < 1.52.0fixed 1.52.0
An issue was discovered in Appsmith before 1.52. An incorrectly configured PostgreSQL instance in the Appsmith image leads to remote command execution inside the Appsmith Docker container. The attacker must be able to access Appsmith, login to it, create a datasource, create a qu
- CVE-2024-55963Mar 26, 2025affected < 1.51.0fixed 1.51.0
An issue was discovered in Appsmith before 1.51. A user on Appsmith that doesn't have admin permissions can trigger the restart API on Appsmith, causing a server restart. This is still within the Appsmith container, and the impact is limited to Appsmith's own server only, but the
- CVE-2024-55604Mar 25, 2025affected < 1.51.0fixed 1.51.0
Appsmith is a platform to build admin panels, internal tools, and dashboards. Users invited as "App Viewer" should not have access to development information of a workspace. Datasources are such a component in a workspace. Yet, in versions of Appsmith prior to 1.51, app viewers a
- CVE-2024-51408Nov 4, 2024affected >= 1.8.3, < 1.46.0fixed 1.46.0
AppSmith Community 1.8.3 before 1.46 allows SSRF via New DataSource for application/json requests to 169.254.169.254 to retrieve AWS metadata credentials.
- CVE-2022-4096Nov 21, 2022affected < 1.8.2fixed 1.8.2
Server-Side Request Forgery (SSRF) in GitHub repository appsmithorg/appsmith prior to 1.8.2.
- CVE-2022-38299Sep 12, 2022affected >= 1.7.11, < 1.7.12fixed 1.7.12
An issue in the Elasticsearch plugin of Appsmith v1.7.11 allows attackers to connect disallowed hosts to the AWS/GCP internal metadata endpoint.
- CVE-2022-38298Sep 12, 2022affected >= 1.7.11, < 1.7.12fixed 1.7.12
Appsmith v1.7.11 was discovered to allow attackers to execute an authenticated Server-Side Request Forgery (SSRF) via redirecting incoming requests to the AWS internal metadata endpoint.
- CVE-2022-39824Sep 5, 2022affected < 1.7.15fixed 1.7.15
Server-side JavaScript injection in Appsmith through 1.7.14 allows remote attackers to execute arbitrary JavaScript code from the server via the currentItem property of the list widget, e.g., to perform DoS attacks or achieve an information leak.