{"id":"CVE-2026-7299","summary":"CVE-2026-7299","details":"Appsmith’s SQL query editor’s autocomplete functionality fails to sanitize database object names before rendering them in innerHTML, allowing an authenticated Developer to inject persistent XSS by a malicious table or column names triggering arbitrary code execution in the sessions of other workspace members when they interact with the same datasource.","aliases":["BIT-appsmith-2026-7299","GHSA-vvxf-f8q9-86gh"],"modified":"2026-06-06T03:52:23.547271428Z","published":"2026-06-02T14:07:52.626Z","database_specific":{"cna_assigner":"certcc","osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/7xxx/CVE-2026-7299.json"},"references":[{"type":"WEB","url":"https://github.com/appsmithorg/appsmith/releases/tag/v2.1"},{"type":"WEB","url":"https://www.kb.cert.org/vuls/id/265691"},{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/7xxx/CVE-2026-7299.json"},{"type":"ADVISORY","url":"https://github.com/appsmithorg/appsmith/security/advisories/GHSA-vvxf-f8q9-86gh"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2026-7299"},{"type":"FIX","url":"https://github.com/appsmithorg/appsmith/commit/99d69180919981ed9bc5484050d809a5bec68acc"},{"type":"FIX","url":"https://github.com/appsmithorg/appsmith/pull/41666"},{"type":"PACKAGE","url":"https://github.com/Stuub/Appsmith-1.98-Stored-XSS-Exploit"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/appsmithorg/appsmith","events":[{"introduced":"0"},{"fixed":"9293a9b5a19b948f0c06cb33ac053bcaaf62144b"}]}],"versions":["v2.0","v1.99","v1.98","v1.97","v1.96","v1.95","v1.94","v1.93","v1.92","v1.91","v1.90","v1.89","v1.88","v1.86","v1.85","v1.84","v1.83","v1.82","v1.81","v1.80","v1.79","v1.78","v1.77","v1.76","v1.75","v1.74","v1.73","v1.72","v1.71","v1.70","v1.69","v1.68","v1.67","v1.66","v1.65","v1.64","v1.63","v1.62","v1.61","v1.60","v1.59","v1.58","v1.57","v1.56","v1.55","v1.54","v1.53","v1.52","v1.49","v1.48","v1.51","v1.50","v1.47","v1.46","v1.45","v1.44","v1.43","v1.42","v1.41","v1.40","v1.39","v1.38.1","v1.38","v1.37","v1.36","v1.35","v1.34","v1.33","v1.32","v1.31","v1.30","v1.29","v1.28","v1.27","v1.26","v1.25","v1.24","v1.23","v1.22.1","V1.22","v1.21","v1.20","v1.19","v1.18","v1.17","v1.16","v1.15","v1.14","v1.13","v1.12","v1.11","v1.10","v1.9.61","v1.9.60","v1.9.58","v1.9.57","v1.9.56","v1.9.55","v1.9.54","v1.9.53","v1.9.52","v1.9.51","v1.9.50","v1.9.49","v1.9.48","v1.9.47","v1.9.46","v1.9.45","v1.9.44","v1.9.43","v1.9.42","v1.9.41","v1.9.40","v1.9.39","v1.9.38","v1.9.37.1","v1.9.37","v1.9.36","v1.9.35","v1.9.34","v1.9.33","v1.9.32","v1.9.31","v1.9.30","v1.9.29","v1.9.28","v1.9.27","v1.9.26","v1.9.25","v1.9.24","v1.9.23","v1.9.22","v1.9.21","v1.9.20.4","v1.9.20.3","v1.9.20.2","v1.9.20","v1.9.19","v1.9.18","v1.9.17","v1.9.16","v1.9.15","v1.9.14","v1.9.13","v1.9.12","v1.9.11","v1.9.10","v1.9.9","v1.9.8","v1.9.7","v1.9.6","v1.9.5","v1.9.4","v1.9.3.1","v1.9.3","v1.9.2","v1.9.1","v1.9.0","v1.8.15","v1.8.14.1","v1.8.14","v1.8.13","v1.8.12","v1.8.11","v1.8.10","v1.8.9","v1.8.8","v1.8.7","v1.8.6","v1.7.11","v1.8.5","v1.8.4","v1.8.3","v1.8.2","v1.8.1","v1.8.0","v1.7.14","v1.7.13","v1.7.12","v1.7.10","v1.7.9","v1.7.8","v1.7.7","v1.7.6","v1.7.5","v1.7.4","v1.7.1","v1.7.0","v.1.6.25","v.1.6.23","v1.6.21","v1.6.20","v1.6.19","v1.6.18","v1.6.17","v1.6.16","v1.6.15","v1.6.14","v1.6.13","v1.6.12","v1.6.11","v1.6.10","v1.6.9","v1.6.8","v1.6.7","v1.6.6","v1.6.5","v1.6.4","v1.6.3","v1.5.17","v1.4.4","v1.4.3","v1.2.16","v1.2.4","v1.2.2","v1.2.1","v1.2","v1.1","v1.0.2","v1.0.1","v1.0","v1.0-beta.2"],"database_specific":{"source":"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2026-7299.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:L/A:N"}]}