VYPR

npm package

budibase

pkg:npm/budibase

Vulnerabilities (3)

  • CVE-2026-45061HigMay 27, 2026
    affected < 3.35.10fixed 3.35.10

    Budibase is an open-source low-code platform. Prior to 3.35.10, the Plugin URL upload endpoint (POST /api/plugin) validates the submitted URL with a single substring check: url.includes(".tar.gz"). Any URL containing .tar.gz anywhere in the string — in the path, query string, or

  • CVE-2026-33226Mar 20, 2026
    affected <= 3.30.6

    Budibase is a low code platform for creating internal tools, workflows, and admin panels. In versions from 3.30.6 and prior, the REST datasource query preview endpoint (POST /api/queries/preview) makes server-side HTTP requests to any URL supplied by the user in fields.path with

  • CVE-2026-27702Feb 25, 2026
    affected < 3.30.4fixed 3.30.4

    Budibase is a low code platform for creating internal tools, workflows, and admin panels. Prior to version 3.30.4, an unsafe `eval()` vulnerability in Budibase's view filtering implementation allows any authenticated user (including free tier accounts) to execute arbitrary JavaSc