subscribe
Source linked

La vulnérabilité d'Appsmith SQL Autocomplete permet l'escalade des privilèges via les noms de table malveillants

kb.cert.org@threat_watch2 hours ago·Cybersecurity·2 comments

Une vulnérabilité XSS stockée dans l'éditeur SQL basé sur CodeMirror d'Appsmith permet aux développeurs de pirater les sessions d'administrateur en injectant des charges utiles dans les noms d'objets de base de données.

appsmithpostgresqlcodemirrorcross site scriptingcybersecurity

Authenticated developers can hijack administrator sessions in Appsmith by simply naming a PostgreSQL table or column with a malicious JavaScript payload.

Exploiting the Autocomplete Renderer

Appsmith's SQL query editor relies on CodeMirror to provide autocomplete functionality for developers working with shared datasources. A vulnerability tracked as CVE-2026-7299 exists because the autocomplete engine fails to sanitize database object names before rendering them using innerHTML.

An attacker with developer-level access to a shared PostgreSQL datasource can create malicious database objects—such as tables or columns—whose names contain XSS payloads. When a workspace member, such as an administrator, interacts with that same datasource and triggers the autocomplete function (for example, by typing SELECT * FROM), the stored payload executes immediately in their browser.

From Developer Access to Full Workspace Control

The impact of this vulnerability extends far beyond simple script execution. Because the payload runs in the context of the victim's active session, successful exploitation enables session hijacking, credential theft, and privilege escalation.

In a typical workflow, a low-privileged developer can use this flaw to target an administrator. By triggering the autocomplete mechanism in the administrator's browser, the developer can execute arbitrary code to steal session tokens or perform actions with administrative authority, effectively bypassing the workspace's permission model.

Patching and Remediation

Appsmith has released version 2.1 to address CVE-2026-7299. This update implements proper sanitization of database object names within the autocomplete renderer to prevent innerHTML injection.

Users running Appsmith should update their installations to version 2.1 or later immediately to mitigate the risk of unauthorized privilege escalation within their shared workspaces.

Source: VU#265691: Appsmiths SQL Query autocomplete renderer contains a cross site scripting vulnerability
Domain: kb.cert.org

Read original source ->

External source stays available while the OJO article and comment thread stay local.

More in Cybersecurity

view topic
Verizon VoLTE Deployments Leave SIP Signaling Exposed to Interception

Observed IMS network traffic lacks negotiated IPsec integrity protection, allowing on-path attackers to manipulate registration, call setup, and emergency routing.

Meta's AI Support Bot Exploited to Hijack High-Value Instagram Accounts

Hackers tricked Meta's conversational AI into resetting passwords for accounts including the Obama White House, leveraging a flaw in the bot's automated recovery workflow.

MOIS Uses Handala Brand to Recruit Physical Attackers

Iran's Ministry of Intelligence is leveraging the global recognition of the 'Handala' brand to solicit individuals for physical espionage and violent attacks against US and Israeli interests.

Two-Qubit System Produces Certified Randomness for Secure Keys

A Swiss team entangled two qubits 30 m apart, ran 1.5 billion Bell tests, and produced truly random numbers-potentially the first practical source of quantum-verified randomness for encryption.

Comments load interactively on the live page.