CVE-2026-7299

Name of the Vulnerable Software and Affected Versions Appsmith versions prior to 2.1

Description The SQL query editor's autocomplete functionality fails to sanitize database object names before rendering them in innerHTML. This allows an authenticated Developer with access to a shared PostgreSQL datasource to inject persistent Cross-Site Scripting (XSS) by creating malicious table or column names. When other workspace members interact with the same datasource and trigger the autocomplete feature, the unsanitized names lead to arbitrary JavaScript execution in their sessions, which can result in session hijacking, privilege escalation, or credential theft.

Recommendations Update to version 2.1.