← Volver a CVEs
CVE-2026-22794
CRITICAL9.6
Descripcion
Appsmith is a platform to build admin panels, internal tools, and dashboards. Prior to 1.93, the server uses the Origin value from the request headers as the email link baseUrl without validation. If an attacker controls the Origin, password reset / email verification links in emails can be generated pointing to the attacker’s domain, causing authentication tokens to be exposed and potentially leading to account takeover. This vulnerability is fixed in 1.93.
Detalles CVE
Puntuacion CVSS v3.19.6
SeveridadCRITICAL
Vector CVSSCVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H
Vector de ataqueNETWORK
ComplejidadLOW
Privilegios requeridosNONE
Interaccion usuarioREQUIRED
Publicado1/12/2026
Ultima modificacion1/21/2026
Fuentenvd
Avistamientos honeypot0
Productos afectados
appsmith:appsmith
Debilidades (CWE)
CWE-346
Referencias
https://github.com/appsmithorg/appsmith/commit/6f9ee6226bac13fb4b836940b557913fff78b633(security-advisories@github.com)
https://github.com/appsmithorg/appsmith/security/advisories/GHSA-7hf5-mc28-xmcv(security-advisories@github.com)
https://github.com/appsmithorg/appsmith/security/advisories/GHSA-7hf5-mc28-xmcv(134c704f-9b21-4f2e-91b3-4a467353bcc0)
Correlaciones IOC
Sin correlaciones registradas
This product uses data from the NVD API but is not endorsed or certified by the NVD.