VU#265691: Appsmiths SQL Query autocomplete renderer contains a cross site scripting vulnerability
A stored cross-site scripting (XSS) vulnerability, CVE-2026-7299, exists in Appsmith's CodeMirror based SQL query editor autocomplete. Attackers with developer access to a shared PostgreSQL datasource can inject JavaScript into malicious database object names. This payload executes when any workspace member triggers SQL autocomplete. Successful exploitation allows arbitrary JavaScript execution in the victim's browser. This can lead to session hijacking, privilege escalation, or credential theft. Appsmith is an open-source, low-code platform for building internal tools. The vulnerability specifically affects the autocomplete function's handling of database object names. The failure to sanitize these names allows for persistent XSS injection. Version 2.1 of Appsmith addresses and fixes CVE-2026-7299. Users are strongly advised to update their Appsmith installations promptly.