{"resultsPerPage":1,"startIndex":0,"totalResults":1,"format":"NVD_CVE","version":"2.0","timestamp":"2026-06-14T22:14:46.386","vulnerabilities":[{"cve":{"id":"CVE-2026-24042","sourceIdentifier":"security-advisories@github.com","published":"2026-01-22T04:16:00.187","lastModified":"2026-02-17T17:50:44.837","vulnStatus":"Analyzed","cveTags":[],"descriptions":[{"lang":"en","value":"Appsmith is a platform to build admin panels, internal tools, and dashboards. In versions 1.94 and below, publicly accessible apps allow unauthenticated users to execute unpublished (edit-mode) actions by sending viewMode=false (or omitting it) to POST /api/v1/actions/execute. This bypasses the expected publish boundary where public viewers should only execute published actions, not edit-mode versions. An attack can result in sensitive data exposure, execution of edit‑mode queries and APIs, development data access, and the ability to trigger side effect behavior. This issue does not have a released fix at the time of publication."},{"lang":"es","value":"Appsmith es una plataforma para construir paneles de administración, herramientas internas y paneles de control. En las versiones 1.94 e inferiores, las aplicaciones de acceso público permiten a usuarios no autenticados ejecutar acciones no publicadas (en modo edición) enviando viewMode=false (o omitiéndolo) a POST /API/v1/actions/execute. Esto elude el límite de publicación esperado donde los espectadores públicos solo deberían ejecutar acciones publicadas, no versiones en modo edición. Un ataque puede resultar en exposición de datos sensibles, ejecución de consultas y API en modo edición, acceso a datos de desarrollo y la capacidad de desencadenar comportamientos con efectos secundarios. Este problema no tiene una solución publicada en el momento de la publicación."}],"metrics":{"cvssMetricV31":[{"source":"security-advisories@github.com","type":"Secondary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:L","baseScore":9.4,"baseSeverity":"CRITICAL","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"NONE","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"HIGH","integrityImpact":"HIGH","availabilityImpact":"LOW"},"exploitabilityScore":3.9,"impactScore":5.5},{"source":"nvd@nist.gov","type":"Primary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H","baseScore":9.8,"baseSeverity":"CRITICAL","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"NONE","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"HIGH","integrityImpact":"HIGH","availabilityImpact":"HIGH"},"exploitabilityScore":3.9,"impactScore":5.9}]},"weaknesses":[{"source":"security-advisories@github.com","type":"Primary","description":[{"lang":"en","value":"CWE-862"}]}],"configurations":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:a:appsmith:appsmith:*:*:*:*:*:*:*:*","versionEndIncluding":"1.94","matchCriteriaId":"E0D385D9-E0EC-4CED-AB28-87B2CD03C5E8"}]}]}],"references":[{"url":"https://github.com/appsmithorg/appsmith/security/advisories/GHSA-j9qq-4fj9-9883","source":"security-advisories@github.com","tags":["Third Party Advisory"]}]}}]}