VYPR

Appsmith

by Appsmithorg

Source repositories

CVEs (19)

  • CVE-2026-5418HigApr 2, 2026
    risk 0.40cvss 7.3epss 0.00

    A vulnerability was identified in appsmithorg appsmith up to 1.97. Impacted is the function computeDisallowedHosts of the file app/server/appsmith-interfaces/src/main/java/com/appsmith/util/WebClientUtils.java of the component Dashboard. Such manipulation leads to server-side…

  • CVE-2026-7299MedJun 2, 2026
    risk 0.34cvss 6.3epss 0.00

    Appsmith’s SQL query editor’s autocomplete functionality fails to sanitize database object names before rendering them in innerHTML, allowing an authenticated Developer to inject persistent XSS by a malicious table or column names triggering arbitrary code execution in the…

  • CVE-2026-34411MedMar 27, 2026
    risk 0.27cvss 5.3epss 0.00

    Appsmith versions prior to 1.98 expose sensitive instance management API endpoints without authentication. Unauthenticated attackers can query endpoints like /api/v1/consolidated-api/view and /api/v1/tenants/current to retrieve configuration metadata, license information, and…

  • CVE-2024-55964Mar 26, 2025
    risk 0.08cvss epss 0.06

    An issue was discovered in Appsmith before 1.52. An incorrectly configured PostgreSQL instance in the Appsmith image leads to remote command execution inside the Appsmith Docker container. The attacker must be able to access Appsmith, login to it, create a datasource, create a…

  • CVE-2024-55963Mar 26, 2025
    risk 0.06cvss epss 0.28

    An issue was discovered in Appsmith before 1.51. A user on Appsmith that doesn't have admin permissions can trigger the restart API on Appsmith, causing a server restart. This is still within the Appsmith container, and the impact is limited to Appsmith's own server only, but…

  • CVE-2026-49979Jun 24, 2026
    risk 0.00cvss epss 0.00

    Appsmith is a platform to build admin panels, internal tools, and dashboards. Prior to 1.99, the POST /api/v1/admin/send-test-email endpoint accepts attacker-controlled smtpHost and smtpPort values and establishes a raw JavaMail TCP connection without any IP validation. This…

  • CVE-2026-55454Jun 24, 2026
    risk 0.00cvss epss 0.00

    Appsmith is a platform to build admin panels, internal tools, and dashboards. Prior to 2.1, the bundled Caddy reverse-proxy's admin API — which has no authentication by default — is bound on 0.0.0.0:2019 inside the container. While this listener is not directly published to…

  • CVE-2026-55455Jun 24, 2026
    risk 0.00cvss epss 0.00

    Appsmith is a platform to build admin panels, internal tools, and dashboards. Prior to 2.1, the outbound HTTP host filter applied by WebClientUtils (used by the REST API and GraphQL datasource plugins) validates hosts against an exact-match string denylist. The comprehensive…

  • CVE-2026-50189Jun 24, 2026
    risk 0.00cvss epss 0.00

    Appsmith is a platform to build admin panels, internal tools, and dashboards. Prior to 2.1, Appsmith's bundled supervisord exposes an XML-RPC interface on port 9001, reachable from outside the container via a Caddy reverse-proxy route at /supervisor/* on the public ingress.…

  • CVE-2026-30862Mar 9, 2026
    risk 0.00cvss epss 0.00

    Appsmith is a platform to build admin panels, internal tools, and dashboards. Prior to 1.96, a Critical Stored XSS vulnerability exists in the Table Widget (TableWidgetV2). The root cause is a lack of HTML sanitization in the React component rendering pipeline, allowing…

  • CVE-2026-24042Jan 22, 2026
    risk 0.00cvss epss 0.01

    Appsmith is a platform to build admin panels, internal tools, and dashboards. In versions 1.94 and below, publicly accessible apps allow unauthenticated users to execute unpublished (edit-mode) actions by sending viewMode=false (or omitting it) to POST /api/v1/actions/execute.…

  • CVE-2026-22794Jan 12, 2026
    risk 0.00cvss epss 0.00

    Appsmith is a platform to build admin panels, internal tools, and dashboards. Prior to 1.93, the server uses the Origin value from the request headers as the email link baseUrl without validation. If an attacker controls the Origin, password reset / email verification links in…

  • CVE-2024-55965Mar 26, 2025
    risk 0.00cvss epss 0.00

    An issue was discovered in Appsmith before 1.51. Users invited as "App Viewer" incorrectly have access to development information of a workspace (specifically, a list of datasources in a workspace they're a member of). This information disclosure does not expose sensitive data…

  • CVE-2024-55604Mar 25, 2025
    risk 0.00cvss epss 0.00

    Appsmith is a platform to build admin panels, internal tools, and dashboards. Users invited as "App Viewer" should not have access to development information of a workspace. Datasources are such a component in a workspace. Yet, in versions of Appsmith prior to 1.51, app viewers…

  • CVE-2024-51408Nov 4, 2024
    risk 0.00cvss epss 0.00

    AppSmith Community 1.8.3 before 1.46 allows SSRF via New DataSource for application/json requests to 169.254.169.254 to retrieve AWS metadata credentials.

  • CVE-2022-4096Nov 21, 2022
    risk 0.00cvss epss 0.01

    Server-Side Request Forgery (SSRF) in GitHub repository appsmithorg/appsmith prior to 1.8.2.

  • CVE-2022-38299Sep 12, 2022
    risk 0.00cvss epss 0.00

    An issue in the Elasticsearch plugin of Appsmith v1.7.11 allows attackers to connect disallowed hosts to the AWS/GCP internal metadata endpoint.

  • CVE-2022-38298Sep 12, 2022
    risk 0.00cvss epss 0.01

    Appsmith v1.7.11 was discovered to allow attackers to execute an authenticated Server-Side Request Forgery (SSRF) via redirecting incoming requests to the AWS internal metadata endpoint.

  • CVE-2022-39824Sep 5, 2022
    risk 0.00cvss epss 0.01

    Server-side JavaScript injection in Appsmith through 1.7.14 allows remote attackers to execute arbitrary JavaScript code from the server via the currentItem property of the list widget, e.g., to perform DoS attacks or achieve an information leak.