npm package
@budibase/server
pkg:npm/%40budibase/server
Vulnerabilities (7)
| CVE | Sev | CVSS | KEV | Affected versions | Fixed in | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2026-45717 | hig | — | < 3.38.1 | 3.38.1 | May 15, 2026 | ## Summary Budibase exposes a REST API for datasource management. The route `PUT /api/datasources/:datasourceId` is registered in the `authorizedRoutes` group with `TABLE/READ` permission. This is the same authorization level as the read endpoint (`GET /api/datasources/:datasour | |
| CVE-2026-45715 | hig | — | < 3.38.1 | 3.38.1 | May 15, 2026 | ### Summary The REST datasource integration follows HTTP redirects without re-checking the IP blacklist, allowing an authenticated Builder to access internal services (cloud metadata, databases) by redirecting through an attacker-controlled server. The same vulnerability class w | |
| CVE-2026-45548 | hig | — | < 3.34.8 | 3.34.8 | May 15, 2026 | ## Vulnerability Details **CWE-918**: Server-Side Request Forgery (SSRF) The `processUrlFile` function in `packages/server/src/automations/steps/ai/extract.ts` uses `fetch(fileUrl)` directly **without the IP blacklist validation** that is consistently applied to all other autom | |
| CVE-2026-35216 | Cri | 9.0 | < 3.33.4 | 3.33.4 | Apr 3, 2026 | Budibase is an open-source low-code platform. Prior to version 3.33.4, an unauthenticated attacker can achieve Remote Code Execution (RCE) on the Budibase server by triggering an automation that contains a Bash step via the public webhook endpoint. No authentication is required t | |
| CVE-2026-35214 | Hig | 8.7 | < 3.33.4 | 3.33.4 | Apr 3, 2026 | Budibase is an open-source low-code platform. Prior to version 3.33.4, the plugin file upload endpoint (POST /api/plugin/upload) passes the user-supplied filename directly to createTempFolder() without sanitizing path traversal sequences. An attacker with Global Builder privilege | |
| CVE-2026-25044 | Hig | 8.8 | < 3.33.4 | 3.33.4 | Apr 3, 2026 | Budibase is an open-source low-code platform. Prior to version 3.33.4, the bash automation step executes user-provided commands using execSync without proper sanitization or validation. User input is processed through processStringSync which allows template interpolation, potenti | |
| CVE-2026-25041 | — | < 3.23.32 | 3.23.32 | Mar 9, 2026 | Budibase is a low code platform for creating internal tools, workflows, and admin panels. In 3.23.22 and earlier, the PostgreSQL integration constructs shell commands using user-controlled configuration values (database name, host, password, etc.) without proper sanitization. The |
- affected < 3.38.1fixed 3.38.1
## Summary Budibase exposes a REST API for datasource management. The route `PUT /api/datasources/:datasourceId` is registered in the `authorizedRoutes` group with `TABLE/READ` permission. This is the same authorization level as the read endpoint (`GET /api/datasources/:datasour
- affected < 3.38.1fixed 3.38.1
### Summary The REST datasource integration follows HTTP redirects without re-checking the IP blacklist, allowing an authenticated Builder to access internal services (cloud metadata, databases) by redirecting through an attacker-controlled server. The same vulnerability class w
- affected < 3.34.8fixed 3.34.8
## Vulnerability Details **CWE-918**: Server-Side Request Forgery (SSRF) The `processUrlFile` function in `packages/server/src/automations/steps/ai/extract.ts` uses `fetch(fileUrl)` directly **without the IP blacklist validation** that is consistently applied to all other autom
- affected < 3.33.4fixed 3.33.4
Budibase is an open-source low-code platform. Prior to version 3.33.4, an unauthenticated attacker can achieve Remote Code Execution (RCE) on the Budibase server by triggering an automation that contains a Bash step via the public webhook endpoint. No authentication is required t
- affected < 3.33.4fixed 3.33.4
Budibase is an open-source low-code platform. Prior to version 3.33.4, the plugin file upload endpoint (POST /api/plugin/upload) passes the user-supplied filename directly to createTempFolder() without sanitizing path traversal sequences. An attacker with Global Builder privilege
- affected < 3.33.4fixed 3.33.4
Budibase is an open-source low-code platform. Prior to version 3.33.4, the bash automation step executes user-provided commands using execSync without proper sanitization or validation. User input is processed through processStringSync which allows template interpolation, potenti
- CVE-2026-25041Mar 9, 2026affected < 3.23.32fixed 3.23.32
Budibase is a low code platform for creating internal tools, workflows, and admin panels. In 3.23.22 and earlier, the PostgreSQL integration constructs shell commands using user-controlled configuration values (database name, host, password, etc.) without proper sanitization. The