Budibase
by Budibase
Source repositories
CVEs (40)
| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2026-46426 | Hig | 0.42 | 7.6 | 0.00 | May 27, 2026 | Budibase is an open-source low-code platform. Prior to 3.38.2, the file upload endpoint POST /api/attachments/process does not enforce active-content restrictions for authenticated users. The checks for dangerous file extensions are conditionally wrapped inside if (isPublicUser)… | ||
| CVE-2026-50136 | hig | 0.38 | — | 0.00 | Jun 22, 2026 | The application server exposes an unauthenticated endpoint that generates S3 `PutObject` presigned URLs using credentials stored in a workspace datasource. The route is protected only by the recaptcha middleware and does not require authentication, table permission, datasource… | ||
| CVE-2026-50132 | hig | 0.38 | — | 0.00 | Jun 22, 2026 | ## Title **Chat Identity Link Hijacking — Attacker Can Silently Map Their Slack/Discord Identity to Any Authenticated Budibase User's Account** ## Severity **High** — CVSS 3.1: AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:N = **7.3** ## Affected Product - **Product:** Budibase -… | ||
| CVE-2026-48147 | Med | 0.35 | 6.5 | 0.00 | May 27, 2026 | Budibase is an open-source low-code platform. Prior to 3.35.4, the buildMatcherRegex() / matches() functions in packages/backend-core/src/middleware/matchers.ts route patterns are compiled into unanchored regular expressions and tested against ctx.request.url, which includes the… | ||
| CVE-2026-45719 | Med | 0.35 | 6.5 | 0.00 | May 27, 2026 | Budibase is an open-source low-code platform. Prior to 3.38.1, the V1 Views API (POST /api/views) accepts a calculation parameter from the request body that is interpolated directly into a CouchDB reduce function definition without validation. Although an internal SCHEMA_MAP… | ||
| CVE-2026-45718 | Med | 0.28 | 5.4 | 0.00 | May 27, 2026 | Budibase is an open-source low-code platform. Prior to 3.38.1, the row action trigger endpoint (POST /api/tables/:sourceId/actions/:actionId/trigger) fails to validate that the user-supplied rowId is within the scope of the view's row filters. A user with access to a filtered… | ||
| CVE-2026-48148 | Med | 0.27 | — | 0.00 | May 27, 2026 | Budibase is an open-source low-code platform. Prior to 3.35.3, the VectorDB configuration endpoint in Budibase accepts a host parameter that undergoes no validation against internal IP ranges, reserved hostnames, or URL schemes. Any authenticated user with builder-level access… | ||
| CVE-2026-25043 | Med | 0.27 | 5.3 | 0.00 | Apr 3, 2026 | Budibase is an open-source low-code platform. Prior to version 3.23.25, a business logic vulnerability exists in Budibase’s password reset functionality due to the absence of rate limiting, CAPTCHA, or abuse prevention mechanisms on the “Forgot Password” endpoint. An… | ||
| CVE-2026-48128 | Med | 0.26 | — | 0.00 | May 27, 2026 | Budibase is an open-source low-code platform. Prior to 3.39.0, the executeQuery automation step in Budibase accepts a queryId from automation step inputs and passes it directly to the query execution controller without additional validation. When combined with a REST datasource… | ||
| CVE-2026-46424 | Med | 0.20 | 4.2 | 0.00 | May 27, 2026 | Budibase is an open-source low-code platform. Prior to 3.38.2, the public API role unassignment endpoint (POST /api/public/v1/roles/unassign) updates user documents in CouchDB but does not invalidate the corresponding Redis user cache entries. Because the authentication… | ||
| CVE-2026-31816 | 0.01 | — | 0.15 | Mar 9, 2026 | Budibase is a low code platform for creating internal tools, workflows, and admin panels. In 3.31.4 and earlier, the Budibase server's authorized() middleware that protects every server-side API endpoint can be completely bypassed by appending a webhook path pattern to the query… | |||
| CVE-2026-33226 | 0.00 | — | 0.00 | Mar 20, 2026 | Budibase is a low code platform for creating internal tools, workflows, and admin panels. In versions from 3.30.6 and prior, the REST datasource query preview endpoint (POST /api/queries/preview) makes server-side HTTP requests to any URL supplied by the user in fields.path with… | |||
| CVE-2026-30240 | 0.00 | — | 0.00 | Mar 9, 2026 | Budibase is a low code platform for creating internal tools, workflows, and admin panels. In 3.31.5 and earlier, a path traversal vulnerability in the PWA (Progressive Web App) ZIP processing endpoint (POST /api/pwa/process-zip) allows an authenticated user with builder… | |||
| CVE-2026-25045 | 0.00 | — | 0.00 | Mar 9, 2026 | Budibase is a low code platform for creating internal tools, workflows, and admin panels. This issue is a combination of Vertical Privilege Escalation and IDOR (Insecure Direct Object Reference) due to missing server-side RBAC checks in the /api/global/users endpoints. A… | |||
| CVE-2026-25737 | 0.00 | — | 0.00 | Mar 9, 2026 | Budibase is a low code platform for creating internal tools, workflows, and admin panels. In 3.24.0 and earlier, an arbitrary file upload vulnerability exists even though file extension restrictions are configured. The restriction is enforced only at the UI level. An attacker… | |||
| CVE-2026-25041 | 0.00 | — | 0.00 | Mar 9, 2026 | Budibase is a low code platform for creating internal tools, workflows, and admin panels. In 3.23.22 and earlier, the PostgreSQL integration constructs shell commands using user-controlled configuration values (database name, host, password, etc.) without proper sanitization.… | |||
| CVE-2026-27702 | 0.00 | — | 0.00 | Feb 25, 2026 | Budibase is a low code platform for creating internal tools, workflows, and admin panels. Prior to version 3.30.4, an unsafe `eval()` vulnerability in Budibase's view filtering implementation allows any authenticated user (including free tier accounts) to execute arbitrary… | |||
| CVE-2026-25040 | 0.00 | — | 0.01 | Jan 29, 2026 | Budibase is a low code platform for creating internal tools, workflows, and admin panels. In versions up to and including 3.26.3, a Creator-level user, who normally has no UI permission to invite users, can manipulate API requests to invite new users with any role, including… | |||
| CVE-2023-29010 | 0.00 | — | 0.01 | Apr 6, 2023 | Budibase is a low code platform for creating internal tools, workflows, and admin panels. Versions prior to 2.4.3 (07 March 2023) are vulnerable to Server-Side Request Forgery. This can lead to an attacker gaining access to a Budibase AWS secret key. Users of Budibase cloud need… | |||
| CVE-2022-3225 | 0.00 | — | 0.01 | Sep 16, 2022 | Improper Control of Dynamically-Managed Code Resources in GitHub repository budibase/budibase prior to 1.3.20. |
- risk 0.42cvss 7.6epss 0.00
Budibase is an open-source low-code platform. Prior to 3.38.2, the file upload endpoint POST /api/attachments/process does not enforce active-content restrictions for authenticated users. The checks for dangerous file extensions are conditionally wrapped inside if (isPublicUser)…
- risk 0.38cvss —epss 0.00
The application server exposes an unauthenticated endpoint that generates S3 `PutObject` presigned URLs using credentials stored in a workspace datasource. The route is protected only by the recaptcha middleware and does not require authentication, table permission, datasource…
- risk 0.38cvss —epss 0.00
## Title **Chat Identity Link Hijacking — Attacker Can Silently Map Their Slack/Discord Identity to Any Authenticated Budibase User's Account** ## Severity **High** — CVSS 3.1: AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:N = **7.3** ## Affected Product - **Product:** Budibase -…
- risk 0.35cvss 6.5epss 0.00
Budibase is an open-source low-code platform. Prior to 3.35.4, the buildMatcherRegex() / matches() functions in packages/backend-core/src/middleware/matchers.ts route patterns are compiled into unanchored regular expressions and tested against ctx.request.url, which includes the…
- risk 0.35cvss 6.5epss 0.00
Budibase is an open-source low-code platform. Prior to 3.38.1, the V1 Views API (POST /api/views) accepts a calculation parameter from the request body that is interpolated directly into a CouchDB reduce function definition without validation. Although an internal SCHEMA_MAP…
- risk 0.28cvss 5.4epss 0.00
Budibase is an open-source low-code platform. Prior to 3.38.1, the row action trigger endpoint (POST /api/tables/:sourceId/actions/:actionId/trigger) fails to validate that the user-supplied rowId is within the scope of the view's row filters. A user with access to a filtered…
- risk 0.27cvss —epss 0.00
Budibase is an open-source low-code platform. Prior to 3.35.3, the VectorDB configuration endpoint in Budibase accepts a host parameter that undergoes no validation against internal IP ranges, reserved hostnames, or URL schemes. Any authenticated user with builder-level access…
- risk 0.27cvss 5.3epss 0.00
Budibase is an open-source low-code platform. Prior to version 3.23.25, a business logic vulnerability exists in Budibase’s password reset functionality due to the absence of rate limiting, CAPTCHA, or abuse prevention mechanisms on the “Forgot Password” endpoint. An…
- risk 0.26cvss —epss 0.00
Budibase is an open-source low-code platform. Prior to 3.39.0, the executeQuery automation step in Budibase accepts a queryId from automation step inputs and passes it directly to the query execution controller without additional validation. When combined with a REST datasource…
- risk 0.20cvss 4.2epss 0.00
Budibase is an open-source low-code platform. Prior to 3.38.2, the public API role unassignment endpoint (POST /api/public/v1/roles/unassign) updates user documents in CouchDB but does not invalidate the corresponding Redis user cache entries. Because the authentication…
- CVE-2026-31816Mar 9, 2026risk 0.01cvss —epss 0.15
Budibase is a low code platform for creating internal tools, workflows, and admin panels. In 3.31.4 and earlier, the Budibase server's authorized() middleware that protects every server-side API endpoint can be completely bypassed by appending a webhook path pattern to the query…
- CVE-2026-33226Mar 20, 2026risk 0.00cvss —epss 0.00
Budibase is a low code platform for creating internal tools, workflows, and admin panels. In versions from 3.30.6 and prior, the REST datasource query preview endpoint (POST /api/queries/preview) makes server-side HTTP requests to any URL supplied by the user in fields.path with…
- CVE-2026-30240Mar 9, 2026risk 0.00cvss —epss 0.00
Budibase is a low code platform for creating internal tools, workflows, and admin panels. In 3.31.5 and earlier, a path traversal vulnerability in the PWA (Progressive Web App) ZIP processing endpoint (POST /api/pwa/process-zip) allows an authenticated user with builder…
- CVE-2026-25045Mar 9, 2026risk 0.00cvss —epss 0.00
Budibase is a low code platform for creating internal tools, workflows, and admin panels. This issue is a combination of Vertical Privilege Escalation and IDOR (Insecure Direct Object Reference) due to missing server-side RBAC checks in the /api/global/users endpoints. A…
- CVE-2026-25737Mar 9, 2026risk 0.00cvss —epss 0.00
Budibase is a low code platform for creating internal tools, workflows, and admin panels. In 3.24.0 and earlier, an arbitrary file upload vulnerability exists even though file extension restrictions are configured. The restriction is enforced only at the UI level. An attacker…
- CVE-2026-25041Mar 9, 2026risk 0.00cvss —epss 0.00
Budibase is a low code platform for creating internal tools, workflows, and admin panels. In 3.23.22 and earlier, the PostgreSQL integration constructs shell commands using user-controlled configuration values (database name, host, password, etc.) without proper sanitization.…
- CVE-2026-27702Feb 25, 2026risk 0.00cvss —epss 0.00
Budibase is a low code platform for creating internal tools, workflows, and admin panels. Prior to version 3.30.4, an unsafe `eval()` vulnerability in Budibase's view filtering implementation allows any authenticated user (including free tier accounts) to execute arbitrary…
- CVE-2026-25040Jan 29, 2026risk 0.00cvss —epss 0.01
Budibase is a low code platform for creating internal tools, workflows, and admin panels. In versions up to and including 3.26.3, a Creator-level user, who normally has no UI permission to invite users, can manipulate API requests to invite new users with any role, including…
- CVE-2023-29010Apr 6, 2023risk 0.00cvss —epss 0.01
Budibase is a low code platform for creating internal tools, workflows, and admin panels. Versions prior to 2.4.3 (07 March 2023) are vulnerable to Server-Side Request Forgery. This can lead to an attacker gaining access to a Budibase AWS secret key. Users of Budibase cloud need…
- CVE-2022-3225Sep 16, 2022risk 0.00cvss —epss 0.01
Improper Control of Dynamically-Managed Code Resources in GitHub repository budibase/budibase prior to 1.3.20.
Page 2 of 2