appsmith CVE Vulnerabilities & Metrics

Focus on appsmith vulnerabilities and metrics.

Last updated: 16 Apr 2025, 22:25 UTC

About appsmith Security Exposure

This page consolidates all known Common Vulnerabilities and Exposures (CVEs) associated with appsmith. We track both calendar-based metrics (using fixed periods) and rolling metrics (using gliding windows) to give you a comprehensive view of security trends and risk evolution. Use these insights to assess risk and plan your patching strategy.

For a broader perspective on cybersecurity threats, explore the comprehensive list of CVEs by vendor and product. Stay updated on critical vulnerabilities affecting major software and hardware providers.

Global CVE Overview

Total appsmith CVEs: 7
Earliest CVE date: 05 Sep 2022, 03:15 UTC
Latest CVE date: 26 Mar 2025, 20:15 UTC

Latest CVE reference: CVE-2024-55964

Rolling Stats

30-day Count (Rolling): 2
365-day Count (Rolling): 3

Calendar-based Variation

Calendar-based Variation compares a fixed calendar period (e.g., this month versus the same month last year), while Rolling Growth Rate uses a continuous window (e.g., last 30 days versus the previous 30 days) to capture trends independent of calendar boundaries.

Variations & Growth

Month Variation (Calendar): 0%
Year Variation (Calendar): 0%

Month Growth Rate (30-day Rolling): 0.0%
Year Growth Rate (365-day Rolling): 0.0%

Monthly CVE Trends (current vs previous Year)

Annual CVE Trends (Last 20 Years)

Critical appsmith CVEs (CVSS ≥ 9) Over 20 Years

CVSS Stats

Average CVSS: 0.0

Max CVSS: 0

Critical CVEs (≥9): 0

CVSS Range vs. Count

Range Count
0.0-3.9 7
4.0-6.9 0
7.0-8.9 0
9.0-10.0 0

CVSS Distribution Chart

Top 5 Highest CVSS appsmith CVEs

These are the five CVEs with the highest CVSS scores for appsmith, sorted by severity first and recency.

All CVEs for appsmith

CVE-2024-55964 appsmith vulnerability CVSS: 0 26 Mar 2025, 20:15 UTC

An issue was discovered in Appsmith before 1.52. An incorrectly configured PostgreSQL instance in the Appsmith image leads to remote command execution inside the Appsmith Docker container. The attacker must be able to access Appsmith, login to it, create a datasource, create a query against that datasource, and execute that query.

CVE-2024-55963 appsmith vulnerability CVSS: 0 26 Mar 2025, 20:15 UTC

An issue was discovered in Appsmith before 1.51. A user on Appsmith that doesn't have admin permissions can trigger the restart API on Appsmith, causing a server restart. This is still within the Appsmith container, and the impact is limited to Appsmith's own server only, but there is a denial of service because it can be continually restarted. This is due to incorrect access control checks, which should check for super user permissions on the incoming request.

CVE-2024-51408 appsmith vulnerability CVSS: 0 04 Nov 2024, 14:15 UTC

AppSmith Community 1.8.3 before 1.46 allows SSRF via New DataSource for application/json requests to 169.254.169.254 to retrieve AWS metadata credentials.

CVE-2022-4096 appsmith vulnerability CVSS: 0 21 Nov 2022, 15:15 UTC

Server-Side Request Forgery (SSRF) in GitHub repository appsmithorg/appsmith prior to 1.8.2.

CVE-2022-38299 appsmith vulnerability CVSS: 0 12 Sep 2022, 22:15 UTC

An issue in the Elasticsearch plugin of Appsmith v1.7.11 allows attackers to connect disallowed hosts to the AWS/GCP internal metadata endpoint.

CVE-2022-38298 appsmith vulnerability CVSS: 0 12 Sep 2022, 22:15 UTC

Appsmith v1.7.11 was discovered to allow attackers to execute an authenticated Server-Side Request Forgery (SSRF) via redirecting incoming requests to the AWS internal metadata endpoint.

CVE-2022-39824 appsmith vulnerability CVSS: 0 05 Sep 2022, 03:15 UTC

Server-side JavaScript injection in Appsmith through 1.7.14 allows remote attackers to execute arbitrary JavaScript code from the server via the currentItem property of the list widget, e.g., to perform DoS attacks or achieve an information leak.