Vasco0X4

**Name of the Vulnerable Software and Affected Versions** Appsmith versions prior to 2.1 **Description** The SQL query editor's autocomplete functionality fails to sanitize database object names before rendering them using `innerHTML`. This allows an authenticated Developer with access to a shared PostgreSQL datasource to inject persistent Cross-Site Scripting (XSS) by creating malicious table or column names. When other workspace members interact with the same datasource and trigger the autocomplete feature, the unsanitized names execute arbitrary JavaScript in their sessions, potentially leading to session hijacking, privilege escalation, or credential theft. **Recommendations** Update to version 2.1.