Home

Description

A vulnerability was identified in appsmithorg appsmith up to 1.97. Impacted is the function computeDisallowedHosts of the file app/server/appsmith-interfaces/src/main/java/com/appsmith/util/WebClientUtils.java of the component Dashboard. Such manipulation leads to server-side request forgery. The attack may be launched remotely. The exploit is publicly available and might be used. Upgrading to version 1.99 is recommended to address this issue. The affected component should be upgraded. The vendor was contacted early, responded in a very professional manner and quickly released a fixed version of the affected product.

PUBLISHED Reserved 2026-04-02 | Published 2026-04-02 | Updated 2026-04-03 | Assigner VulDB




MEDIUM: 6.9CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P
HIGH: 7.3CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:P/RL:O/RC:C
HIGH: 7.3CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:P/RL:O/RC:C
7.5AV:N/AC:L/Au:N/C:P/I:P/A:P/E:POC/RL:OF/RC:C

Problem types

Server-Side Request Forgery

Product status

1.0
affected

1.1
affected

1.2
affected

1.3
affected

1.4
affected

1.5
affected

1.6
affected

1.7
affected

1.8
affected

1.9
affected

1.10
affected

1.11
affected

1.12
affected

1.13
affected

1.14
affected

1.15
affected

1.16
affected

1.17
affected

1.18
affected

1.19
affected

1.20
affected

1.21
affected

1.22
affected

1.23
affected

1.24
affected

1.25
affected

1.26
affected

1.27
affected

1.28
affected

1.29
affected

1.30
affected

1.31
affected

1.32
affected

1.33
affected

1.34
affected

1.35
affected

1.36
affected

1.37
affected

1.38
affected

1.39
affected

1.40
affected

1.41
affected

1.42
affected

1.43
affected

1.44
affected

1.45
affected

1.46
affected

1.47
affected

1.48
affected

1.49
affected

1.50
affected

1.51
affected

1.52
affected

1.53
affected

1.54
affected

1.55
affected

1.56
affected

1.57
affected

1.58
affected

1.59
affected

1.60
affected

1.61
affected

1.62
affected

1.63
affected

1.64
affected

1.65
affected

1.66
affected

1.67
affected

1.68
affected

1.69
affected

1.70
affected

1.71
affected

1.72
affected

1.73
affected

1.74
affected

1.75
affected

1.76
affected

1.77
affected

1.78
affected

1.79
affected

1.80
affected

1.81
affected

1.82
affected

1.83
affected

1.84
affected

1.85
affected

1.86
affected

1.87
affected

1.88
affected

1.89
affected

1.90
affected

1.91
affected

1.92
affected

1.93
affected

1.94
affected

1.95
affected

1.96
affected

1.97
affected

1.99
unaffected

Timeline

2026-04-02:Advisory disclosed
2026-04-02:VulDB entry created
2026-04-02:VulDB entry last update

Credits

Executio (VulDB User) reporter

VulDB CNA Team coordinator

References

vuldb.com/vuln/354855 (VDB-354855 | appsmithorg appsmith Dashboard WebClientUtils.java computeDisallowedHosts server-side request forgery) vdb-entry technical-description

vuldb.com/vuln/354855/cti (VDB-354855 | CTI Indicators (IOB, IOC, IOA)) signature permissions-required

vuldb.com/submit/780190 (Submit #780190 | appsmithorg appsmith v1.97 Server-Side Request Forgery) third-party-advisory

github.com/...psmith/security/advisories/GHSA-9m89-5jw7-q5cr exploit

github.com/appsmithorg/appsmith/ product

cve.org (CVE-2026-5418)

nvd.nist.gov (CVE-2026-5418)

Download JSON