CVE-2026-5418

Summary

A vulnerability was identified in appsmithorg appsmith up to 1.97. Impacted is the function computeDisallowedHosts of the file app/server/appsmith-interfaces/src/main/java/com/appsmith/util/WebClientUtils.java of the component Dashboard. Such manipulation leads to server-side request forgery. The attack may be launched remotely. The exploit is publicly available and might be used. Upgrading to version 1.99 is recommended to address this issue. The affected component should be upgraded. The vendor was contacted early, responded in a very professional manner and quickly released a fixed version of the affected product.

Affected Software

VendorProductVersion RangeStatus
appsmithorgappsmith1.0affected
appsmithorgappsmith1.1affected
appsmithorgappsmith1.2affected
appsmithorgappsmith1.3affected
appsmithorgappsmith1.4affected
appsmithorgappsmith1.5affected
appsmithorgappsmith1.6affected
appsmithorgappsmith1.7affected
appsmithorgappsmith1.8affected
appsmithorgappsmith1.9affected
appsmithorgappsmith1.10affected
appsmithorgappsmith1.11affected
appsmithorgappsmith1.12affected
appsmithorgappsmith1.13affected
appsmithorgappsmith1.14affected
appsmithorgappsmith1.15affected
appsmithorgappsmith1.16affected
appsmithorgappsmith1.17affected
appsmithorgappsmith1.18affected
appsmithorgappsmith1.19affected
appsmithorgappsmith1.20affected
appsmithorgappsmith1.21affected
appsmithorgappsmith1.22affected
appsmithorgappsmith1.23affected
appsmithorgappsmith1.24affected
appsmithorgappsmith1.25affected
appsmithorgappsmith1.26affected
appsmithorgappsmith1.27affected
appsmithorgappsmith1.28affected
appsmithorgappsmith1.29affected
appsmithorgappsmith1.30affected
appsmithorgappsmith1.31affected
appsmithorgappsmith1.32affected
appsmithorgappsmith1.33affected
appsmithorgappsmith1.34affected
appsmithorgappsmith1.35affected
appsmithorgappsmith1.36affected
appsmithorgappsmith1.37affected
appsmithorgappsmith1.38affected
appsmithorgappsmith1.39affected
appsmithorgappsmith1.40affected
appsmithorgappsmith1.41affected
appsmithorgappsmith1.42affected
appsmithorgappsmith1.43affected
appsmithorgappsmith1.44affected
appsmithorgappsmith1.45affected
appsmithorgappsmith1.46affected
appsmithorgappsmith1.47affected
appsmithorgappsmith1.48affected
appsmithorgappsmith1.49affected
appsmithorgappsmith1.50affected
appsmithorgappsmith1.51affected
appsmithorgappsmith1.52affected
appsmithorgappsmith1.53affected
appsmithorgappsmith1.54affected
appsmithorgappsmith1.55affected
appsmithorgappsmith1.56affected
appsmithorgappsmith1.57affected
appsmithorgappsmith1.58affected
appsmithorgappsmith1.59affected
appsmithorgappsmith1.60affected
appsmithorgappsmith1.61affected
appsmithorgappsmith1.62affected
appsmithorgappsmith1.63affected
appsmithorgappsmith1.64affected
appsmithorgappsmith1.65affected
appsmithorgappsmith1.66affected
appsmithorgappsmith1.67affected
appsmithorgappsmith1.68affected
appsmithorgappsmith1.69affected
appsmithorgappsmith1.70affected
appsmithorgappsmith1.71affected
appsmithorgappsmith1.72affected
appsmithorgappsmith1.73affected
appsmithorgappsmith1.74affected
appsmithorgappsmith1.75affected
appsmithorgappsmith1.76affected
appsmithorgappsmith1.77affected
appsmithorgappsmith1.78affected
appsmithorgappsmith1.79affected
appsmithorgappsmith1.80affected
appsmithorgappsmith1.81affected
appsmithorgappsmith1.82affected
appsmithorgappsmith1.83affected
appsmithorgappsmith1.84affected
appsmithorgappsmith1.85affected
appsmithorgappsmith1.86affected
appsmithorgappsmith1.87affected
appsmithorgappsmith1.88affected
appsmithorgappsmith1.89affected
appsmithorgappsmith1.90affected
appsmithorgappsmith1.91affected
appsmithorgappsmith1.92affected
appsmithorgappsmith1.93affected
appsmithorgappsmith1.94affected
appsmithorgappsmith1.95affected
appsmithorgappsmith1.96affected
appsmithorgappsmith1.97affected
appsmithorgappsmith1.99unaffected

Weaknesses

  • CWE-918: Server-Side Request Forgery

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: poc
    • Automatable: yes
    • Technical Impact: partial

References