{"resultsPerPage":1,"startIndex":0,"totalResults":1,"format":"NVD_CVE","version":"2.0","timestamp":"2026-04-17T07:47:30.361","vulnerabilities":[{"cve":{"id":"CVE-2026-22794","sourceIdentifier":"security-advisories@github.com","published":"2026-01-12T22:16:08.633","lastModified":"2026-01-21T19:14:17.880","vulnStatus":"Analyzed","cveTags":[],"descriptions":[{"lang":"en","value":"Appsmith is a platform to build admin panels, internal tools, and dashboards. Prior to 1.93, the server uses the Origin value from the request headers as the email link baseUrl without validation. If an attacker controls the Origin, password reset / email verification links in emails can be generated pointing to the attacker’s domain, causing authentication tokens to be exposed and potentially leading to account takeover. This vulnerability is fixed in 1.93."},{"lang":"es","value":"Appsmith es una plataforma para construir paneles de administración, herramientas internas y cuadros de mando. Antes de la versión 1.93, el servidor utiliza el valor Origin de los encabezados de solicitud como la baseUrl de los enlaces de correo electrónico sin validación. Si un atacante controla el Origin, se pueden generar enlaces de restablecimiento de contraseña / verificación de correo electrónico en los correos electrónicos que apunten al dominio del atacante, causando que los tokens de autenticación queden expuestos y potencialmente llevando a la toma de control de la cuenta. Esta vulnerabilidad se corrige en la versión 1.93."}],"metrics":{"cvssMetricV31":[{"source":"security-advisories@github.com","type":"Secondary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H","baseScore":9.6,"baseSeverity":"CRITICAL","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"NONE","userInteraction":"REQUIRED","scope":"CHANGED","confidentialityImpact":"HIGH","integrityImpact":"HIGH","availabilityImpact":"HIGH"},"exploitabilityScore":2.8,"impactScore":6.0},{"source":"nvd@nist.gov","type":"Primary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H","baseScore":8.8,"baseSeverity":"HIGH","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"NONE","userInteraction":"REQUIRED","scope":"UNCHANGED","confidentialityImpact":"HIGH","integrityImpact":"HIGH","availabilityImpact":"HIGH"},"exploitabilityScore":2.8,"impactScore":5.9}]},"weaknesses":[{"source":"security-advisories@github.com","type":"Secondary","description":[{"lang":"en","value":"CWE-346"}]}],"configurations":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:a:appsmith:appsmith:*:*:*:*:*:*:*:*","versionEndExcluding":"1.93","matchCriteriaId":"5D0E0C12-CE13-4165-8647-F27EE6E03D0F"}]}]}],"references":[{"url":"https://github.com/appsmithorg/appsmith/commit/6f9ee6226bac13fb4b836940b557913fff78b633","source":"security-advisories@github.com","tags":["Patch"]},{"url":"https://github.com/appsmithorg/appsmith/security/advisories/GHSA-7hf5-mc28-xmcv","source":"security-advisories@github.com","tags":["Exploit","Vendor Advisory"]},{"url":"https://github.com/appsmithorg/appsmith/security/advisories/GHSA-7hf5-mc28-xmcv","source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","tags":["Exploit","Vendor Advisory"]}]}}]}