NVD Vulnerability Detail

Search Exploit, PoC

NVD脆弱性検索トップ

->

NVD Vulnerability Detail

CVE-2026-49979

Summary	Appsmith is a platform to build admin panels, internal tools, and dashboards. Prior to 1.99, the POST /api/v1/admin/send-test-email endpoint accepts attacker-controlled smtpHost and smtpPort values and establishes a raw JavaMail TCP connection without any IP validation. This completely bypasses WebClientUtils.IP_CHECK_FILTER, which only applies to Spring WebClient HTTP requests. Additionally, the raw MailException.getMessage() is returned verbatim in the API error response, enabling error-based internal port scanning and service banner enumeration. This vulnerability is fixed in 1.99.
Publication Date	June 25, 2026, 7:16 a.m.
Registration Date	June 27, 2026, 4:24 a.m.
Last Update	June 26, 2026, 1:11 a.m.

Related information, measures and tools

No	URL	refsource	タグ
1	https://github.com/appsmithorg/appsmith/security/advisories/GHSA-vvxf-f8q9-86gh	security-advisories@github.com

Common Vulnerabilities List

No	CWE	Name	URL
1	CWE-918	サーバサイドリクエストフォージェリ	https://cwe.mitre.org/data/definitions/918.html
2	CWE-209	エラーメッセージによる情報漏えい	https://cwe.mitre.org/data/definitions/209.html