VYPR

npm package

@budibase/server

pkg:npm/%40budibase/server

Vulnerabilities (7)

  • CVE-2026-45717HigMay 27, 2026
    affected < 3.38.1fixed 3.38.1

    Budibase is an open-source low-code platform. Prior to 3.38.1, Budibase exposes a REST API for datasource management. The route PUT /api/datasources/:datasourceId is registered in the authorizedRoutes group with TABLE/READ permission. This is the same authorization level as the r

  • CVE-2026-45715HigMay 27, 2026
    affected < 3.38.1fixed 3.38.1

    Budibase is an open-source low-code platform. Prior to 3.38.1, the REST datasource integration (packages/server/src/integrations/rest.ts) follows HTTP redirects without re-checking the IP blacklist, allowing an authenticated Builder to access internal services (cloud metadata, da

  • CVE-2026-45548HigMay 27, 2026
    affected < 3.34.8fixed 3.34.8

    Budibase is an open-source low-code platform. Prior to 3.34.8, the processUrlFile function in packages/server/src/automations/steps/ai/extract.ts uses fetch(fileUrl) directly without the IP blacklist validation that is consistently applied to all other automation steps. This allo

  • CVE-2026-35216CriApr 3, 2026
    affected < 3.33.4fixed 3.33.4

    Budibase is an open-source low-code platform. Prior to version 3.33.4, an unauthenticated attacker can achieve Remote Code Execution (RCE) on the Budibase server by triggering an automation that contains a Bash step via the public webhook endpoint. No authentication is required t

  • CVE-2026-35214HigApr 3, 2026
    affected < 3.33.4fixed 3.33.4

    Budibase is an open-source low-code platform. Prior to version 3.33.4, the plugin file upload endpoint (POST /api/plugin/upload) passes the user-supplied filename directly to createTempFolder() without sanitizing path traversal sequences. An attacker with Global Builder privilege

  • CVE-2026-25044HigApr 3, 2026
    affected < 3.33.4fixed 3.33.4

    Budibase is an open-source low-code platform. Prior to version 3.33.4, the bash automation step executes user-provided commands using execSync without proper sanitization or validation. User input is processed through processStringSync which allows template interpolation, potenti

  • CVE-2026-25041Mar 9, 2026
    affected < 3.23.32fixed 3.23.32

    Budibase is a low code platform for creating internal tools, workflows, and admin panels. In 3.23.22 and earlier, the PostgreSQL integration constructs shell commands using user-controlled configuration values (database name, host, password, etc.) without proper sanitization. The