CVE-2026-7299

MEDIUM

Appsmith < 2.1 - XSS

Title source: rule
STIX 2.1

Exploitation Summary

EIP tracks 1 public exploit for CVE-2026-7299. PoCs published by Stuub.

AI-analyzed exploit summary This repository contains a functional exploit for CVE-2026-7299, a stored XSS vulnerability in Appsmith v1.98. The exploit automates the creation of a malicious PostgreSQL table name that triggers XSS when rendered in the SQL autocomplete feature.

Description

Appsmith’s SQL query editor’s autocomplete functionality fails to sanitize database object names before rendering them in innerHTML, allowing an authenticated Developer to inject persistent XSS by a malicious table or column names triggering arbitrary code execution in the sessions of other workspace members when they interact with the same datasource.

Exploits (1)

github WORKING POC
by Stuub · pythonpoc
https://github.com/Stuub/Appsmith-1.98-Stored-XSS-Exploit

This repository contains a functional exploit for CVE-2026-7299, a stored XSS vulnerability in Appsmith v1.98. The exploit automates the creation of a malicious PostgreSQL table name that triggers XSS when rendered in the SQL autocomplete feature.

Classification
Working Poc 95%
Attack Type
Xss
Complexity
Moderate
Reliability
Reliable
Target: Appsmith v1.98
Auth required
Prerequisites: Valid Appsmith credentials · Workspace Developer role · Access to a writable PostgreSQL datasource
devstral-2 · analyzed Jun 02, 2026 Full analysis →

References (6)

Core 6

Scores

CVSS v3 6.3
EPSS 0.0004
EPSS Percentile 12.6%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:L/A:N

CISA SSVC

Vulnrichment
Exploitation poc
Automatable no
Technical Impact partial

Details

CWE
CWE-79
Status published
Products (2)
appsmith/appsmith < 1.99
Appsmith/Appsmith < 2.1
Published Jun 02, 2026
Tracked Since Jun 02, 2026