VYPR
Vendor

Budibase

Products
3
CVEs
40
Across products
42
Status
Private

Products

3

Recent CVEs

40
View all 40 CVEs →
  • CVE-2026-54350criJun 23, 2026
    risk 0.59cvss epss 0.00

    ## Summary `enrichContext` at `packages/server/src/sdk/workspace/queries/queries.ts:121-138` substitutes parameter values into the raw JSON body of a query, then `JSON.parse`s the result. The validator `validateQueryInputs` at `packages/server/src/api/controllers/query/index.ts:…

  • CVE-2026-54352criJun 22, 2026
    risk 0.59cvss epss 0.00

    ## Summary `POST /api/pwa/process-zip` at `packages/server/src/api/routes/static.ts:24` accepts a builder-uploaded `.zip`, extracts it with `extract-zip@2.0.1` into a temp directory, then for each entry listed in `icons.json` validates the icon path, opens it, and streams the…

  • CVE-2026-46425CriMay 27, 2026
    risk 0.57cvss 9.9epss 0.00

    Budibase is an open-source low-code platform. Prior to 3.38.2, packages/worker/src/api/routes/global/scim.ts attaches only two middlewares to the SCIM router: requireSCIM (checks the Enterprise feature flag and SCIM config) and doInScimContext (sets the SCIM request context).…

  • CVE-2026-31818CriApr 3, 2026
    risk 0.55cvss 9.6epss 0.00

    Budibase is an open-source low-code platform. Prior to version 3.33.4, a server-side request forgery (SSRF) vulnerability exists in Budibase's REST datasource connector. The platform's SSRF protection mechanism (IP blacklist) is rendered completely ineffective because the…

  • CVE-2026-48150CriMay 27, 2026
    risk 0.52cvss 9.0epss 0.00

    Budibase is an open-source low-code platform. Prior to 3.39.0, /api/public/v1/roles/assign is guarded by the builderOrAdmin middleware, which passes any user who is a builder for the app id in the x-budibase-app-id header. That check admits both global builders and…

  • CVE-2026-41428CriApr 24, 2026
    risk 0.52cvss 9.1epss 0.00

    Budibase is an open-source low-code platform. Prior to 3.35.4, the authenticated middleware uses unanchored regular expressions to match public (no-auth) endpoint patterns against ctx.request.url. Since ctx.request.url in Koa includes the query string, an attacker can access any…

  • CVE-2026-35216CriApr 3, 2026
    risk 0.52cvss 9.0epss 0.12

    Budibase is an open-source low-code platform. Prior to version 3.33.4, an unauthenticated attacker can achieve Remote Code Execution (RCE) on the Budibase server by triggering an automation that contains a Bash step via the public webhook endpoint. No authentication is required…

  • CVE-2026-45716HigMay 27, 2026
    risk 0.50cvss 8.8epss 0.00

    Budibase is an open-source low-code platform. Prior to 3.38.1, the POST /api/global/users/onboard endpoint is protected by workspaceBuilderOrAdmin middleware, allowing any user with builder permissions to access it. When SMTP email is not configured (the default for self-hosted…

  • CVE-2026-35218HigApr 3, 2026
    risk 0.50cvss 8.7epss 0.00

    Budibase is an open-source low-code platform. Prior to version 3.32.5, Budibase's Builder Command Palette renders entity names (tables, views, queries, automations) using Svelte's {@html} directive without any sanitization. An authenticated user with Builder access can create a…

  • CVE-2026-35214HigApr 3, 2026
    risk 0.50cvss 8.7epss 0.01

    Budibase is an open-source low-code platform. Prior to version 3.33.4, the plugin file upload endpoint (POST /api/plugin/upload) passes the user-supplied filename directly to createTempFolder() without sanitizing path traversal sequences. An attacker with Global Builder…

  • CVE-2026-25044HigApr 3, 2026
    risk 0.50cvss 8.8epss 0.00

    Budibase is an open-source low-code platform. Prior to version 3.33.4, the bash automation step executes user-provided commands using execSync without proper sanitization or validation. User input is processed through processStringSync which allows template interpolation,…

  • CVE-2026-48153HigMay 27, 2026
    risk 0.48cvss 8.5epss 0.00

    Budibase is an open-source low-code platform. Prior to 3.39.0, fetchToken in the OAuth2 SDK makes a POST to a builder-supplied URL with plain node-fetch, skipping the blacklist.isBlacklisted check that every other outbound fetch path in the codebase uses. The Joi schema for the…

  • CVE-2026-48152HigMay 27, 2026
    risk 0.46cvss 8.1epss 0.00

    Budibase is an open-source low-code platform. Prior to 3.39.0, the single-datasource GET and PUT routes are guarded by generic TABLE READ, not by Builder/Admin permission or datasource-specific ownership/resource checks. The built-in Basic app user role maps to the WRITE…

  • CVE-2026-48149HigMay 27, 2026
    risk 0.46cvss 8.1epss 0.00

    Budibase is an open-source low-code platform. Prior to 3.39.0, the Budibase Text component renders markdown by assigning marked.parse(markdown) straight to innerHTML with no sanitizer (packages/bbui/src/Markdown/MarkdownViewer.svelte:22). Any column a builder binds to a Text…

  • CVE-2026-54353higJun 22, 2026
    risk 0.45cvss epss 0.00

    Summary Authenticated users with automation permissions can bypass Budibase's SSRF blacklist through DNS rebinding. The outbound fetch flow validates a hostname against the blacklist before the request is sent, but the actual socket connection later performs a separate DNS…

  • CVE-2026-54351higJun 22, 2026
    risk 0.45cvss epss 0.00

    ## Summary The webhook trigger endpoint in Budibase is publicly accessible and passes the full HTTP request body into automation execution parameters. A mass assignment vulnerability in `externalTrigger()` allows an attacker to overwrite the internal `appId` property by…

  • CVE-2026-50137higJun 22, 2026
    risk 0.45cvss epss 0.00

    ## Summary The Budibase server route `POST /api/attachments/:datasourceId/url` ([`packages/server/src/api/routes/static.ts`](https://github.com/Budibase/budibase/blob/56d2a984/packages/server/src/api/routes/static.ts)) is registered with **only** the `recaptcha` middleware.…

  • CVE-2026-48146HigMay 27, 2026
    risk 0.43cvss 7.7epss 0.00

    Budibase is an open-source low-code platform. Prior to 3.39.0, the OAuth2 token fetch function in packages/server/src/sdk/workspace/oauth2/utils.ts uses raw fetch(config.url) with no SSRF protection. The safe wrapper fetchWithBlacklist() exists in the same codebase and is used…

  • CVE-2026-46427HigMay 27, 2026
    risk 0.43cvss 7.7epss 0.00

    Budibase is an open-source low-code platform. Prior to 3.38.3, removeSecrets at packages/server/src/sdk/workspace/datasources/datasources.ts masks only datasource config fields whose schema type is DatasourceFieldType.PASSWORD. The Snowflake integration types its privateKey…

  • CVE-2026-48151HigMay 27, 2026
    risk 0.42cvss 7.5epss 0.00

    Budibase is an open-source low-code platform. Prior to 3.39.0, the webhook schema-building endpoint is registered under builderRoutes, but the generic authorization middleware skips authorization for all paths matching /api/webhooks/schema. As a result, an unauthenticated caller…