CyberRota
← Ana sayfaya dön

CVE-2026-49979

LOW · CVSS 2.7 EPSS %0.22 Public Exploit

Kaynak: NVD + CISA KEV + EPSS · Yayınlanma: 2026-06-24T22:16:47.250 · Çekilme zamanı: 2026-06-30T18:32:57.462036+00:00

CyberRota Yorumu

Detaylı analiz gerekiyor.

Public Exploit Sinyali

Bu CVE için açıklama veya referanslarda public exploit / PoC / GitHub / Metasploit sinyali tespit edildi.

GitHub PoC Linkleri
github.com

Not: Bu bağlantılar yalnızca güvenlik araştırması ve doğrulama amacıyla listelenmiştir.

CVE
CVE-2026-49979
Severity
LOW
CVSS
2.7
EPSS
%0.22
Java

Orijinal NVD Açıklaması

Appsmith is a platform to build admin panels, internal tools, and dashboards. Prior to 1.99, the POST /api/v1/admin/send-test-email endpoint accepts attacker-controlled smtpHost and smtpPort values and establishes a raw JavaMail TCP connection without any IP validation. This completely bypasses WebClientUtils.IP_CHECK_FILTER, which only applies to Spring WebClient HTTP requests. Additionally, the raw MailException.getMessage() is returned verbatim in the API error response, enabling error-based internal port scanning and service banner enumeration. This vulnerability is fixed in 1.99.