VYPR

Budibase

by Budibase

npm: budibase

Source repositories

CVEs (40)

  • CVE-2026-46426HigMay 27, 2026
    risk 0.42cvss 7.6epss 0.00

    Budibase is an open-source low-code platform. Prior to 3.38.2, the file upload endpoint POST /api/attachments/process does not enforce active-content restrictions for authenticated users. The checks for dangerous file extensions are conditionally wrapped inside if (isPublicUser)…

  • CVE-2026-50136higJun 22, 2026
    risk 0.38cvss epss 0.00

    The application server exposes an unauthenticated endpoint that generates S3 `PutObject` presigned URLs using credentials stored in a workspace datasource. The route is protected only by the recaptcha middleware and does not require authentication, table permission, datasource…

  • CVE-2026-50132higJun 22, 2026
    risk 0.38cvss epss 0.00

    ## Title **Chat Identity Link Hijacking — Attacker Can Silently Map Their Slack/Discord Identity to Any Authenticated Budibase User's Account** ## Severity **High** — CVSS 3.1: AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:N = **7.3** ## Affected Product - **Product:** Budibase -…

  • CVE-2026-48147MedMay 27, 2026
    risk 0.35cvss 6.5epss 0.00

    Budibase is an open-source low-code platform. Prior to 3.35.4, the buildMatcherRegex() / matches() functions in packages/backend-core/src/middleware/matchers.ts route patterns are compiled into unanchored regular expressions and tested against ctx.request.url, which includes the…

  • CVE-2026-45719MedMay 27, 2026
    risk 0.35cvss 6.5epss 0.00

    Budibase is an open-source low-code platform. Prior to 3.38.1, the V1 Views API (POST /api/views) accepts a calculation parameter from the request body that is interpolated directly into a CouchDB reduce function definition without validation. Although an internal SCHEMA_MAP…

  • CVE-2026-45718MedMay 27, 2026
    risk 0.28cvss 5.4epss 0.00

    Budibase is an open-source low-code platform. Prior to 3.38.1, the row action trigger endpoint (POST /api/tables/:sourceId/actions/:actionId/trigger) fails to validate that the user-supplied rowId is within the scope of the view's row filters. A user with access to a filtered…

  • CVE-2026-48148MedMay 27, 2026
    risk 0.27cvss epss 0.00

    Budibase is an open-source low-code platform. Prior to 3.35.3, the VectorDB configuration endpoint in Budibase accepts a host parameter that undergoes no validation against internal IP ranges, reserved hostnames, or URL schemes. Any authenticated user with builder-level access…

  • CVE-2026-25043MedApr 3, 2026
    risk 0.27cvss 5.3epss 0.00

    Budibase is an open-source low-code platform. Prior to version 3.23.25, a business logic vulnerability exists in Budibase’s password reset functionality due to the absence of rate limiting, CAPTCHA, or abuse prevention mechanisms on the “Forgot Password” endpoint. An…

  • CVE-2026-48128MedMay 27, 2026
    risk 0.26cvss epss 0.00

    Budibase is an open-source low-code platform. Prior to 3.39.0, the executeQuery automation step in Budibase accepts a queryId from automation step inputs and passes it directly to the query execution controller without additional validation. When combined with a REST datasource…

  • CVE-2026-46424MedMay 27, 2026
    risk 0.20cvss 4.2epss 0.00

    Budibase is an open-source low-code platform. Prior to 3.38.2, the public API role unassignment endpoint (POST /api/public/v1/roles/unassign) updates user documents in CouchDB but does not invalidate the corresponding Redis user cache entries. Because the authentication…

  • CVE-2026-31816Mar 9, 2026
    risk 0.01cvss epss 0.15

    Budibase is a low code platform for creating internal tools, workflows, and admin panels. In 3.31.4 and earlier, the Budibase server's authorized() middleware that protects every server-side API endpoint can be completely bypassed by appending a webhook path pattern to the query…

  • CVE-2026-33226Mar 20, 2026
    risk 0.00cvss epss 0.00

    Budibase is a low code platform for creating internal tools, workflows, and admin panels. In versions from 3.30.6 and prior, the REST datasource query preview endpoint (POST /api/queries/preview) makes server-side HTTP requests to any URL supplied by the user in fields.path with…

  • CVE-2026-30240Mar 9, 2026
    risk 0.00cvss epss 0.00

    Budibase is a low code platform for creating internal tools, workflows, and admin panels. In 3.31.5 and earlier, a path traversal vulnerability in the PWA (Progressive Web App) ZIP processing endpoint (POST /api/pwa/process-zip) allows an authenticated user with builder…

  • CVE-2026-25045Mar 9, 2026
    risk 0.00cvss epss 0.00

    Budibase is a low code platform for creating internal tools, workflows, and admin panels. This issue is a combination of Vertical Privilege Escalation and IDOR (Insecure Direct Object Reference) due to missing server-side RBAC checks in the /api/global/users endpoints. A…

  • CVE-2026-25737Mar 9, 2026
    risk 0.00cvss epss 0.00

    Budibase is a low code platform for creating internal tools, workflows, and admin panels. In 3.24.0 and earlier, an arbitrary file upload vulnerability exists even though file extension restrictions are configured. The restriction is enforced only at the UI level. An attacker…

  • CVE-2026-25041Mar 9, 2026
    risk 0.00cvss epss 0.00

    Budibase is a low code platform for creating internal tools, workflows, and admin panels. In 3.23.22 and earlier, the PostgreSQL integration constructs shell commands using user-controlled configuration values (database name, host, password, etc.) without proper sanitization.…

  • CVE-2026-27702Feb 25, 2026
    risk 0.00cvss epss 0.00

    Budibase is a low code platform for creating internal tools, workflows, and admin panels. Prior to version 3.30.4, an unsafe `eval()` vulnerability in Budibase's view filtering implementation allows any authenticated user (including free tier accounts) to execute arbitrary…

  • CVE-2026-25040Jan 29, 2026
    risk 0.00cvss epss 0.01

    Budibase is a low code platform for creating internal tools, workflows, and admin panels. In versions up to and including 3.26.3, a Creator-level user, who normally has no UI permission to invite users, can manipulate API requests to invite new users with any role, including…

  • CVE-2023-29010Apr 6, 2023
    risk 0.00cvss epss 0.01

    Budibase is a low code platform for creating internal tools, workflows, and admin panels. Versions prior to 2.4.3 (07 March 2023) are vulnerable to Server-Side Request Forgery. This can lead to an attacker gaining access to a Budibase AWS secret key. Users of Budibase cloud need…

  • CVE-2022-3225Sep 16, 2022
    risk 0.00cvss epss 0.01

    Improper Control of Dynamically-Managed Code Resources in GitHub repository budibase/budibase prior to 1.3.20.

Page 2 of 2