GHSA-h8cj-hpmg-636v: appsmith has SQL Injection in FilterDataService via Unsafe DROP TABLE Execution

April 29, 2026

A SQL injection vulnerability exists in FilterDataServiceCE.java where the dropTable method constructs a SQL DROP TABLE statement using string concatenation with the table name. If the table name is derived from user input, this allows for arbitrary SQL command execution.

References

github.com/advisories/GHSA-h8cj-hpmg-636v
github.com/appsmithorg/appsmith
github.com/appsmithorg/appsmith/commit/c8023ba4b3b54204ff3309c9e5c33664ad15ba32
github.com/appsmithorg/appsmith/security/advisories/GHSA-h8cj-hpmg-636v

Code Behaviors & Features

Detect and mitigate GHSA-h8cj-hpmg-636v with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →