LoginSign Up
← Back to all sparks
A

Appsmith

DEVOPS
Velocity2.1

Open-source low-code platform for building custom internal applications.

www.appsmith.com

Appsmith spent six months in a sustained security-patch cycle, capped by a release with 15+ named advisories.

low-code platformsecurity audit responsecve patchingssrf protectionpermission scopingsupply chain
Current state
Appsmith's recent release stream is dominated by security work. v1.99 alone landed roughly fifteen security-tagged fixes — multiple named GHSAs (super-user race condition, SSRF via send-test-email, OAuth2 callback ACL bypass, application snapshot delete permission, expanded metadata denylist), critical CVE patches (CVE-2025-70952, CVE-2026-33937 in handlebars, CVE-2026-22732 around Spring Security headers), AQL injection prevention in the ArangoDB plugin, and several reflected XSS and email-normalization fixes. The same pattern repeats in v1.98 (SQL injection in UQI filters, simple-git critical CVE), v1.96 (arbitrary file write outside repo scope, OS command injection in in-memory Git, XSS in Table HTML cells), and earlier. Feature work continues alongside but at a much smaller volume — Redis TLS, BetterBugs SDK, Favorite Applications V2, Helm extraVolumes.
Where it's heading
The arc is clear: Appsmith is absorbing the output of what looks like a sustained external audit (or several converging ones) and using minor releases as the patch vehicle. The diversity of vuln classes across the ArangoDB plugin, Spring Security headers, OAuth2 callback, in-memory Git, snapshot deletion permissions, and metadata denylist points to a broad-surface review rather than a single component. Feature work isn't stalled, but it's clearly running second to the security queue.
Prediction
Expect at least one or two more 1.9x releases to keep landing security patches before a 2.0 line emerges. Watch for a release that bundles fewer security items than features — that's the signal the audit cycle has caught up. Likely product-side bets are continued data-source TLS coverage and more granular permission scoping (the GHSAs around snapshots and OAuth2 lookup suggest the permission model is being tightened systematically).

Recent moves

  1. 1mo ago

    v1.99: 15+ security advisories closed in a single release

    ⚡ SPARK

    v1.99 is overwhelmingly a security release: super-user creation race (GHSA-9wcp-79g5-5c3c), SSRF via send-test-email SMTP host validation (GHSA-vvxf-f8q9-86gh), critical CVE-2025-70952, handlebars 4.7.9 for CVE-2026-33937, Spring Security HTTP header writing (CVE-2026-22732), OAuth2 callback datasource ACL (GHSA-rg2x-4v4h-g78w), AQL injection in ArangoDB plugin, expanded metadata denylist (GHSA-9m89-5jw7-q5cr), reflected XSS sanitization in ManualUpgrades, snapshot delete permission enforcement, and email Unicode normalization. The non-security content is small and operational.

    View source ↗
  2. 1mo ago

    v1.98: Redis TLS support and SQL injection patch in UQI filters

    v1.98 adds TLS/SSL mode for the Redis datasource (both backend and UI), patches SQL injection in UQI filter projection and sortBy columns, restricts draft-action execution to editors only, and resolves critical CVEs in simple-git (CVE-2026-28292) and fast-xml-parser (CVE-2026-25896). Continues the 1.9x security-cadence pattern.

    View source ↗
  3. 2mo ago

    v1.97: Caddy on-the-fly compression, Favorite Applications V2, table style properties

    v1.97 enables on-the-fly response compression in Caddy, ships a V2 of Favorite Applications, and adds header/odd/even row color properties to TableWidgetV2. Same release prevents open redirects in login and OAuth2 flows and stabilizes the app-deletion path against resource spikes.

    View source ↗
  4. 3mo ago

    v1.96: arbitrary file write, OS command injection, XSS in Table cells patched

    v1.96 closes an arbitrary file write vulnerability that allowed writes outside the repository scope, an OS command injection when in-memory Git is enabled, and an XSS in Table HTML cells. Smaller feature surface — Betterbugs SDK and a Checkbox tooltip.

    View source ↗
  5. 3mo ago

    v1.95: Helm extraVolumes/extraVolumeMounts, anonymous unpublished-action fix

    v1.95 exposes extraVolumes and extraVolumeMounts in the Helm chart, fixes an issue where anonymous users could execute unpublished actions, and switches Helm charts to the Appsmith-built MongoDB image. Operational and security-quiet relative to surrounding releases.

    View source ↗
  6. 5mo ago

    v1.94: Redeploy button, git-pull sync-commit fix

    v1.94 adds a Redeploy button to push the latest changes to App view mode and fixes a git-pull behavior that created a sync commit and lost changes — meaningful for teams managing apps via Git. Helm chart now supports zero-replica deployments.

    View source ↗