cbcvebase.

Appsmithorg Appsmith vulnerabilities

9 known vulnerabilities affecting appsmithorg/appsmith.

Total CVEs
9
CISA KEV
0
Public exploits
0
Exploited in wild
0
Severity breakdown
CRITICAL4HIGH3MEDIUM1LOW1

Vulnerabilities

Page 1 of 1
CVE-2026-55454P2CRITICALCVSS 9.9fixed in 2.12026-06-24
CVE-2026-55454 [CRITICAL] CWE-749 CVE-2026-55454: Appsmith is a platform to build admin panels, internal tools, and dashboards. Prior to 2.1, the bund Appsmith is a platform to build admin panels, internal tools, and dashboards. Prior to 2.1, the bundled Caddy reverse-proxy's admin API — which has no authentication by default — is bound on 0.0.0.0:2019 inside the container. While this listener is not directly published to the host by docker-compose.yml, it is reachable from the Appsmith server p
nvd
CVE-2026-24042P2CRITICALCVSS 9.8≤ 1.942026-01-22
CVE-2026-24042 [CRITICAL] CWE-862 CVE-2026-24042: Appsmith is a platform to build admin panels, internal tools, and dashboards. In versions 1.94 and b Appsmith is a platform to build admin panels, internal tools, and dashboards. In versions 1.94 and below, publicly accessible apps allow unauthenticated users to execute unpublished (edit-mode) actions by sending viewMode=false (or omitting it) to POST /api/v1/actions/execute. This bypasses the expected publish boundary where public viewers should
nvd
CVE-2026-55455P3CRITICALCVSS 9.1fixed in 2.12026-06-24
CVE-2026-55455 [CRITICAL] CWE-918 CVE-2026-55455: Appsmith is a platform to build admin panels, internal tools, and dashboards. Prior to 2.1, the outb Appsmith is a platform to build admin panels, internal tools, and dashboards. Prior to 2.1, the outbound HTTP host filter applied by WebClientUtils (used by the REST API and GraphQL datasource plugins) validates hosts against an exact-match string denylist. The comprehensive address-class check (loopback, any-local, link-local, fc00::/7) exists on
nvd
CVE-2026-22794P3HIGHCVSS 8.8fixed in 1.932026-01-12
CVE-2026-22794 [HIGH] CWE-346 CVE-2026-22794: Appsmith is a platform to build admin panels, internal tools, and dashboards. Prior to 1.93, the ser Appsmith is a platform to build admin panels, internal tools, and dashboards. Prior to 1.93, the server uses the Origin value from the request headers as the email link baseUrl without validation. If an attacker controls the Origin, password reset / email verification links in emails can be generated pointing to the attacker’s domain, causing authenti
nvd
CVE-2026-30862P3CRITICALCVSS 9.0fixed in 1.962026-03-10
CVE-2026-30862 [CRITICAL] CWE-79 CVE-2026-30862: Appsmith is a platform to build admin panels, internal tools, and dashboards. Prior to 1.96, a Criti Appsmith is a platform to build admin panels, internal tools, and dashboards. Prior to 1.96, a Critical Stored XSS vulnerability exists in the Table Widget (TableWidgetV2). The root cause is a lack of HTML sanitization in the React component rendering pipeline, allowing malicious attributes to be interpolated into the DOM. By leveraging the "Invite
nvd
CVE-2026-50189P3HIGHCVSS 7.2fixed in 2.12026-06-24
CVE-2026-50189 [HIGH] CWE-183 CVE-2026-50189: Appsmith is a platform to build admin panels, internal tools, and dashboards. Prior to 2.1, Appsmith Appsmith is a platform to build admin panels, internal tools, and dashboards. Prior to 2.1, Appsmith's bundled supervisord exposes an XML-RPC interface on port 9001, reachable from outside the container via a Caddy reverse-proxy route at /supervisor/* on the public ingress. Combined with the APPSMITH_SUPERVISOR_PASSWORD exposed via GET /api/v1/admin/e
nvd
CVE-2026-5418P3HIGHCVSS 7.3v1.0v1.1+96 more2026-04-02
CVE-2026-5418 [HIGH] CWE-918 CVE-2026-5418: A vulnerability was identified in appsmithorg appsmith up to 1.97. Impacted is the function computeD A vulnerability was identified in appsmithorg appsmith up to 1.97. Impacted is the function computeDisallowedHosts of the file app/server/appsmith-interfaces/src/main/java/com/appsmith/util/WebClientUtils.java of the component Dashboard. Such manipulation leads to server-side request forgery. The attack may be launched remotely. The exploit is publicly
nvd
CVE-2024-55604P4MEDIUMCVSS 4.3fixed in 1.512025-03-25
CVE-2024-55604 [MEDIUM] CWE-280 CVE-2024-55604: Appsmith is a platform to build admin panels, internal tools, and dashboards. Users invited as "App Appsmith is a platform to build admin panels, internal tools, and dashboards. Users invited as "App Viewer" should not have access to development information of a workspace. Datasources are such a component in a workspace. Yet, in versions of Appsmith prior to 1.51, app viewers are able to get a list of datasources in a workspace they're a member of.
nvd
CVE-2026-49979P4LOWCVSS 2.7fixed in 1.992026-06-24
CVE-2026-49979 [LOW] CWE-209 CVE-2026-49979: Appsmith is a platform to build admin panels, internal tools, and dashboards. Prior to 1.99, the POS Appsmith is a platform to build admin panels, internal tools, and dashboards. Prior to 1.99, the POST /api/v1/admin/send-test-email endpoint accepts attacker-controlled smtpHost and smtpPort values and establishes a raw JavaMail TCP connection without any IP validation. This completely bypasses WebClientUtils.IP_CHECK_FILTER, which only applies to Spri
nvd
Appsmithorg Appsmith vulnerabilities | cvebase