{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-5418", "assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5", "state": "PUBLISHED", "assignerShortName": "VulDB", "dateReserved": "2026-04-02T11:05:13.808Z", "datePublished": "2026-04-02T18:30:14.217Z", "dateUpdated": "2026-04-03T12:59:56.016Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "1af790b2-7ee1-4545-860a-a788eba489b5", "shortName": "VulDB", "dateUpdated": "2026-04-02T18:30:14.217Z"}, "title": "appsmithorg appsmith Dashboard WebClientUtils.java computeDisallowedHosts server-side request forgery", "problemTypes": [{"descriptions": [{"type": "CWE", "cweId": "CWE-918", "lang": "en", "description": "Server-Side Request Forgery"}]}], "affected": [{"vendor": "appsmithorg", "product": "appsmith", "versions": [{"version": "1.0", "status": "affected"}, {"version": "1.1", "status": "affected"}, {"version": "1.2", "status": "affected"}, {"version": "1.3", "status": "affected"}, {"version": "1.4", "status": "affected"}, {"version": "1.5", "status": "affected"}, {"version": "1.6", "status": "affected"}, {"version": "1.7", "status": "affected"}, {"version": "1.8", "status": "affected"}, {"version": "1.9", "status": "affected"}, {"version": "1.10", "status": "affected"}, {"version": "1.11", "status": "affected"}, {"version": "1.12", "status": "affected"}, {"version": "1.13", "status": "affected"}, {"version": "1.14", "status": "affected"}, {"version": "1.15", "status": "affected"}, {"version": "1.16", "status": "affected"}, {"version": "1.17", "status": "affected"}, {"version": "1.18", "status": "affected"}, {"version": "1.19", "status": "affected"}, {"version": "1.20", "status": "affected"}, {"version": "1.21", "status": "affected"}, {"version": "1.22", "status": "affected"}, {"version": "1.23", "status": "affected"}, {"version": "1.24", "status": "affected"}, {"version": "1.25", "status": "affected"}, {"version": "1.26", "status": "affected"}, {"version": "1.27", "status": "affected"}, {"version": "1.28", "status": "affected"}, {"version": "1.29", "status": "affected"}, {"version": "1.30", "status": "affected"}, {"version": "1.31", "status": "affected"}, {"version": "1.32", "status": "affected"}, {"version": "1.33", "status": "affected"}, {"version": "1.34", "status": "affected"}, {"version": "1.35", "status": "affected"}, {"version": "1.36", "status": "affected"}, {"version": "1.37", "status": "affected"}, {"version": "1.38", "status": "affected"}, {"version": "1.39", "status": "affected"}, {"version": "1.40", "status": "affected"}, {"version": "1.41", "status": "affected"}, {"version": "1.42", "status": "affected"}, {"version": "1.43", "status": "affected"}, {"version": "1.44", "status": "affected"}, {"version": "1.45", "status": "affected"}, {"version": "1.46", "status": "affected"}, {"version": "1.47", "status": "affected"}, {"version": "1.48", "status": "affected"}, {"version": "1.49", "status": "affected"}, {"version": "1.50", "status": "affected"}, {"version": "1.51", "status": "affected"}, {"version": "1.52", "status": "affected"}, {"version": "1.53", "status": "affected"}, {"version": "1.54", "status": "affected"}, {"version": "1.55", "status": "affected"}, {"version": "1.56", "status": "affected"}, {"version": "1.57", "status": "affected"}, {"version": "1.58", "status": "affected"}, {"version": "1.59", "status": "affected"}, {"version": "1.60", "status": "affected"}, {"version": "1.61", "status": "affected"}, {"version": "1.62", "status": "affected"}, {"version": "1.63", "status": "affected"}, {"version": "1.64", "status": "affected"}, {"version": "1.65", "status": "affected"}, {"version": "1.66", "status": "affected"}, {"version": "1.67", "status": "affected"}, {"version": "1.68", "status": "affected"}, {"version": "1.69", "status": "affected"}, {"version": "1.70", "status": "affected"}, {"version": "1.71", "status": "affected"}, {"version": "1.72", "status": "affected"}, {"version": "1.73", "status": "affected"}, {"version": "1.74", "status": "affected"}, {"version": "1.75", "status": "affected"}, {"version": "1.76", "status": "affected"}, {"version": "1.77", "status": "affected"}, {"version": "1.78", "status": "affected"}, {"version": "1.79", "status": "affected"}, {"version": "1.80", "status": "affected"}, {"version": "1.81", "status": "affected"}, {"version": "1.82", "status": "affected"}, {"version": "1.83", "status": "affected"}, {"version": "1.84", "status": "affected"}, {"version": "1.85", "status": "affected"}, {"version": "1.86", "status": "affected"}, {"version": "1.87", "status": "affected"}, {"version": "1.88", "status": "affected"}, {"version": "1.89", "status": "affected"}, {"version": "1.90", "status": "affected"}, {"version": "1.91", "status": "affected"}, {"version": "1.92", "status": "affected"}, {"version": "1.93", "status": "affected"}, {"version": "1.94", "status": "affected"}, {"version": "1.95", "status": "affected"}, {"version": "1.96", "status": "affected"}, {"version": "1.97", "status": "affected"}, {"version": "1.99", "status": "unaffected"}], "cpes": ["cpe:2.3:a:appsmith:appsmith:*:*:*:*:*:*:*:*"], "modules": ["Dashboard"]}], "descriptions": [{"lang": "en", "value": "A vulnerability was identified in appsmithorg appsmith up to 1.97. Impacted is the function computeDisallowedHosts of the file app/server/appsmith-interfaces/src/main/java/com/appsmith/util/WebClientUtils.java of the component Dashboard. Such manipulation leads to server-side request forgery. The attack may be launched remotely. The exploit is publicly available and might be used. Upgrading to version 1.99 is recommended to address this issue. The affected component should be upgraded. The vendor was contacted early, responded in a very professional manner and quickly released a fixed version of the affected product."}], "metrics": [{"cvssV4_0": {"version": "4.0", "baseScore": 6.9, "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P", "baseSeverity": "MEDIUM"}}, {"cvssV3_1": {"version": "3.1", "baseScore": 7.3, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:P/RL:O/RC:C", "baseSeverity": "HIGH"}}, {"cvssV3_0": {"version": "3.0", "baseScore": 7.3, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:P/RL:O/RC:C", "baseSeverity": "HIGH"}}, {"cvssV2_0": {"version": "2.0", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P/E:POC/RL:OF/RC:C"}}], "timeline": [{"time": "2026-04-02T00:00:00.000Z", "lang": "en", "value": "Advisory disclosed"}, {"time": "2026-04-02T02:00:00.000Z", "lang": "en", "value": "VulDB entry created"}, {"time": "2026-04-02T13:10:22.000Z", "lang": "en", "value": "VulDB entry last update"}], "credits": [{"lang": "en", "value": "Executio (VulDB User)", "type": "reporter"}, {"lang": "en", "value": "VulDB CNA Team", "type": "coordinator"}], "references": [{"url": "https://vuldb.com/vuln/354855", "name": "VDB-354855 | appsmithorg appsmith Dashboard WebClientUtils.java computeDisallowedHosts server-side request forgery", "tags": ["vdb-entry", "technical-description"]}, {"url": "https://vuldb.com/vuln/354855/cti", "name": "VDB-354855 | CTI Indicators (IOB, IOC, IOA)", "tags": ["signature", "permissions-required"]}, {"url": "https://vuldb.com/submit/780190", "name": "Submit #780190 | appsmithorg appsmith v1.97 Server-Side Request Forgery", "tags": ["third-party-advisory"]}, {"url": "https://github.com/appsmithorg/appsmith/security/advisories/GHSA-9m89-5jw7-q5cr", "tags": ["exploit"]}, {"url": "https://github.com/appsmithorg/appsmith/", "tags": ["product"]}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-04-03T12:59:49.042923Z", "id": "CVE-2026-5418", "options": [{"Exploitation": "poc"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-03T12:59:56.016Z"}}]}}

{}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "A vulnerability was identified in appsmithorg appsmith up to 1.97. Impacted is the function computeDisallowedHosts of the file app/server/appsmith-interfaces/src/main/java/com/appsmith/util/WebClientUtils.java of the component Dashboard. Such manipulation leads to server-side request forgery. The attack may be launched remotely. The exploit is publicly available and might be used. Upgrading to version 1.99 is recommended to address this issue. The affected component should be upgraded. The vendor was contacted early, responded in a very professional manner and quickly released a fixed version of the affected product."}], "id": "CVE-2026-5418", "lastModified": "2026-04-29T01:00:01.613", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "HIGH", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "PARTIAL", "baseScore": 7.5, "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0"}, "exploitabilityScore": 10.0, "impactScore": 6.4, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "cna@vuldb.com", "type": "Secondary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 7.3, "baseSeverity": "HIGH", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.4, "source": "cna@vuldb.com", "type": "Primary"}], "cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "NETWORK", "availabilityRequirement": "NOT_DEFINED", "baseScore": 5.5, "baseSeverity": "MEDIUM", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "PROOF_OF_CONCEPT", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "NONE", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "LOW", "vulnConfidentialityImpact": "LOW", "vulnIntegrityImpact": "LOW", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "cna@vuldb.com", "type": "Secondary"}]}, "published": "2026-04-02T19:21:36.737", "references": [{"source": "cna@vuldb.com", "url": "https://github.com/appsmithorg/appsmith/"}, {"source": "cna@vuldb.com", "url": "https://github.com/appsmithorg/appsmith/security/advisories/GHSA-9m89-5jw7-q5cr"}, {"source": "cna@vuldb.com", "url": "https://vuldb.com/submit/780190"}, {"source": "cna@vuldb.com", "url": "https://vuldb.com/vuln/354855"}, {"source": "cna@vuldb.com", "url": "https://vuldb.com/vuln/354855/cti"}], "sourceIdentifier": "cna@vuldb.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-918"}], "source": "cna@vuldb.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": null}], "enrichment": {"confidence": 95.0, "confidence_source": "inferred", "scores": [{"score": 95.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "original": {"product": "appsmith", "source": "cna", "vendor": "appsmithorg"}, "product": "appsmith", "vendor": "appsmith"}], "analysis": {"en": {"generated_at": "2026-04-02T22:51:39.785389+00:00", "value": {"mitigation_remediation": ["Upgrade Appsmith to version\u202f1.99 or newer, which includes the fixed function. ", "After upgrading, confirm that computeDisallowedHosts no longer allows arbitrary host resolution by testing with known internal addresses. ", "Monitor outbound network traffic from the application for any unexpected requests to potential internal or external resources."], "summary": {"action": "Apply Patch", "impact": "Server-side Request Forgery"}, "threat_synthesis": {"affected_systems": "It affects Appsmith built by appsmithorg; all releases up to version\u202f1.97 contain the issue and users should upgrade to version\u202f1.99 or later, which contains the patch for the computeDisallowedHosts function in the Dashboard module.", "description_and_impact": "The vulnerability resides in the computeDisallowedHosts function of the Dashboard component; an attacker can manipulate input to trigger the server to produce HTTP requests to arbitrary hosts, leading to server\u2011side request forgery, which allows exfiltration, internal service interaction, or network reconnaissance, and aligns with CWE\u2011918.", "risk_and_exploitability": "With a CVSS score of 6.9 the vulnerability has medium severity; attackers can launch the exploit remotely and public exploits exist, suggesting moderate likelihood; EPSS data is missing and it is not in KEV, yet the public exploit warrants immediate attention, and the attack vector is likely remote via the web interface with no local privilege needed."}}}}, "created": "2026-04-03T07:31:44.831526+00:00", "updated": "2026-04-03T09:16:41.907375+00:00", "vendors": ["appsmith", "appsmith$PRODUCT$appsmith"]}