appsmith CVE Vulnerabilities & Metrics

Focus on appsmith vulnerabilities and metrics.

Last updated: 08 Mar 2025, 23:25 UTC

About appsmith Security Exposure

This page consolidates all known Common Vulnerabilities and Exposures (CVEs) associated with appsmith. We track both calendar-based metrics (using fixed periods) and rolling metrics (using gliding windows) to give you a comprehensive view of security trends and risk evolution. Use these insights to assess risk and plan your patching strategy.

For a broader perspective on cybersecurity threats, explore the comprehensive list of CVEs by vendor and product. Stay updated on critical vulnerabilities affecting major software and hardware providers.

Global CVE Overview

Total appsmith CVEs: 5
Earliest CVE date: 05 Sep 2022, 03:15 UTC
Latest CVE date: 04 Nov 2024, 14:15 UTC

Latest CVE reference: CVE-2024-51408

Rolling Stats

30-day Count (Rolling): 0
365-day Count (Rolling): 1

Calendar-based Variation

Calendar-based Variation compares a fixed calendar period (e.g., this month versus the same month last year), while Rolling Growth Rate uses a continuous window (e.g., last 30 days versus the previous 30 days) to capture trends independent of calendar boundaries.

Variations & Growth

Month Variation (Calendar): 0%
Year Variation (Calendar): 0%

Month Growth Rate (30-day Rolling): 0.0%
Year Growth Rate (365-day Rolling): 0.0%

Monthly CVE Trends (current vs previous Year)

Annual CVE Trends (Last 20 Years)

Critical appsmith CVEs (CVSS ≥ 9) Over 20 Years

CVSS Stats

Average CVSS: 0.0

Max CVSS: 0

Critical CVEs (≥9): 0

CVSS Range vs. Count

Range	Count
0.0-3.9	5
4.0-6.9	0
7.0-8.9	0
9.0-10.0	0

CVSS Distribution Chart

Top 5 Highest CVSS appsmith CVEs

These are the five CVEs with the highest CVSS scores for appsmith, sorted by severity first and recency.

CVE-2024-51408 appsmith Published on 04 Nov 2024, 14:15 UTC (CVSS: 0)
AppSmith Community 1.8.3 before 1.46 allows SSRF via New DataSource for application/json requests to 169.254.169.254 to retrieve AWS metadata credentials.
CVE-2022-4096 appsmith Published on 21 Nov 2022, 15:15 UTC (CVSS: 0)
Server-Side Request Forgery (SSRF) in GitHub repository appsmithorg/appsmith prior to 1.8.2.
CVE-2022-38299 appsmith Published on 12 Sep 2022, 22:15 UTC (CVSS: 0)
An issue in the Elasticsearch plugin of Appsmith v1.7.11 allows attackers to connect disallowed hosts to the AWS/GCP internal metadata endpoint.
CVE-2022-38298 appsmith Published on 12 Sep 2022, 22:15 UTC (CVSS: 0)
Appsmith v1.7.11 was discovered to allow attackers to execute an authenticated Server-Side Request Forgery (SSRF) via redirecting incoming requests to the AWS internal metadata endpoint.
CVE-2022-39824 appsmith Published on 05 Sep 2022, 03:15 UTC (CVSS: 0)
Server-side JavaScript injection in Appsmith through 1.7.14 allows remote attackers to execute arbitrary JavaScript code from the server via the currentItem property of the list widget, e.g., to perform DoS attacks or achieve an information leak.

All CVEs for appsmith

CVE-2024-51408 appsmith vulnerability CVSS: 0 04 Nov 2024, 14:15 UTC

AppSmith Community 1.8.3 before 1.46 allows SSRF via New DataSource for application/json requests to 169.254.169.254 to retrieve AWS metadata credentials.

CVE-2022-4096 appsmith vulnerability CVSS: 0 21 Nov 2022, 15:15 UTC

Server-Side Request Forgery (SSRF) in GitHub repository appsmithorg/appsmith prior to 1.8.2.

CVE-2022-38299 appsmith vulnerability CVSS: 0 12 Sep 2022, 22:15 UTC

An issue in the Elasticsearch plugin of Appsmith v1.7.11 allows attackers to connect disallowed hosts to the AWS/GCP internal metadata endpoint.

CVE-2022-38298 appsmith vulnerability CVSS: 0 12 Sep 2022, 22:15 UTC

Appsmith v1.7.11 was discovered to allow attackers to execute an authenticated Server-Side Request Forgery (SSRF) via redirecting incoming requests to the AWS internal metadata endpoint.

CVE-2022-39824 appsmith vulnerability CVSS: 0 05 Sep 2022, 03:15 UTC

Server-side JavaScript injection in Appsmith through 1.7.14 allows remote attackers to execute arbitrary JavaScript code from the server via the currentItem property of the list widget, e.g., to perform DoS attacks or achieve an information leak.