CVE-2026-2274
HIGHAppSheet Web (Main Server) < 2025-11-23 - Authenticated Server-Side Request Forgery and Arbitrary File Read
Title source: llmDescription
A SSRF and Arbitrary File Read vulnerability in AppSheet Core in Google AppSheet prior to 2025-11-23 allows an authenticated remote attacker to read sensitive local files and access internal network resources via crafted requests to the production cluster. This vulnerability was patched and no customer action is needed.
References (1)
Core 1
Core References
Various Sources
https://discuss.google.dev/t/november-23-2025/332118
Scores
CVSS v4
8.5
EPSS
0.0025
EPSS Percentile
16.3%
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:Clear
CISA SSVC
Vulnrichment
Exploitation
none
Automatable
no
Technical Impact
partial
Details
CWE
CWE-918
Status
published
Products (1)
AppSheet/AppSheet Web (Main Server)
< 2025-11-23
Published
Feb 19, 2026
Tracked Since
Feb 19, 2026