LoginSign Up
← Back to all sparks
A

Appsmith

DEVOPS
Velocity6.3

Open-source low-code platform for building custom internal applications.

www.appsmith.com

Appsmith is running a security-hardening marathon while resetting its platform floor with 2.0.

low-codeinternal-toolsopen-sourcesecurity-hardeningself-hostedmajor-version
Current state
Appsmith is an open-source low-code platform for building internal tools, shipping frequent point releases on a roughly biweekly cadence. The recent window is dominated by two things: an unusually heavy stream of security fixes (SSRF, XSS, SQL/AQL injection, path traversal, CVE remediations) in nearly every release, and the 2.0 major version, which bundles MongoDB 7 and bumps Java to 25 and Node to 24 behind a mandatory staged upgrade path. Incremental UI and datasource features (Redis TLS, TableWidgetV2 styling, Favorite Applications V2) continue alongside.
Where it's heading
The throughline is hardening and consolidation: Appsmith is closing vulnerability classes across its self-hosted surface while modernizing its bundled runtime stack. 'Ask AI' community-edition stubs in 2.0 hint that AI-assisted app building is being wired into the open-source edition. Expect the security cadence to continue as the product stabilizes on the 2.x base.
Prediction
Likely next: continued 2.x point releases with more security fixes and a build-out of the 'Ask AI' feature beyond stubs. Self-hosted operators who haven't moved should plan for the staged v1.99-to-2.0 migration.

Recent moves

  1. 29d ago

    v2.1: security hardening, Intercom-to-Pylon support swap

    A security-heavy point release on the new 2.x base: SSRF, path-traversal, and permission-check hardening across the platform, plus a swap from Intercom to Pylon for in-product support and a memory-sizing diagnostic script. Continues the relentless hardening cadence.

    View source ↗
  2. 1mo ago

    v2.0: bundles MongoDB 7, Java 25, Node 24; staged upgrade

    ⚡ SPARK

    The major version that resets Appsmith's platform floor: bundled MongoDB 7, Java 25, and Node 24, gated behind a mandatory staged upgrade (older instances must pass through v1.99 first). It also seeds 'Ask AI' community-edition stubs, pointing at AI-assisted building coming to the open-source tier.

    View source ↗
  3. 2mo ago

    v1.99: security/CVE fixes; required waypoint before 2.0

    An all-fixes release concentrated on security (critical CVEs, SSRF, AQL injection, ACL and race-condition fixes). Notably, it's the required migration waypoint instances must reach before upgrading to 2.0.

    View source ↗
  4. 3mo ago

    v1.98: Redis datasource TLS support, critical CVE fixes

    Adds TLS support for the Redis datasource and raises the consolidated API timeout, alongside SQL-injection and critical dependency-CVE fixes. Incremental capability plus the ongoing security work.

    View source ↗
  5. 3mo ago

    v1.97: Favorite Apps V2, table row colors, Caddy compression

    A feature-leaning release: Favorite Applications V2, TableWidgetV2 row-color styling, Caddy response compression, and air-gapped BetterBugs links, with open-redirect and stability fixes. Steady incremental product work.

    View source ↗
  6. 4mo ago

    v1.96: Checkbox tooltip, BetterBugs SDK, command-injection fix

    Minor features (Checkbox tooltip, BetterBugs SDK) paired with significant security fixes, including an OS command-injection vulnerability in in-memory Git and table-cell XSS. A routine release within the hardening streak.

    View source ↗