VYPR

Vendor CVEs

Budibase

All CVEs

40 total · sorted by risk
  • CVE-2026-54350criJun 23, 2026
    risk 0.59cvss epss 0.00

    ## Summary `enrichContext` at `packages/server/src/sdk/workspace/queries/queries.ts:121-138` substitutes parameter values into the raw JSON body of a query, then `JSON.parse`s the result. The validator `validateQueryInputs` at `packages/server/src/api/controllers/query/index.ts:…

  • CVE-2026-54352criJun 22, 2026
    risk 0.59cvss epss 0.00

    ## Summary `POST /api/pwa/process-zip` at `packages/server/src/api/routes/static.ts:24` accepts a builder-uploaded `.zip`, extracts it with `extract-zip@2.0.1` into a temp directory, then for each entry listed in `icons.json` validates the icon path, opens it, and streams the…

  • CVE-2026-46425CriMay 27, 2026
    risk 0.57cvss 9.9epss 0.00

    Budibase is an open-source low-code platform. Prior to 3.38.2, packages/worker/src/api/routes/global/scim.ts attaches only two middlewares to the SCIM router: requireSCIM (checks the Enterprise feature flag and SCIM config) and doInScimContext (sets the SCIM request context).…

  • CVE-2026-31818CriApr 3, 2026
    risk 0.55cvss 9.6epss 0.00

    Budibase is an open-source low-code platform. Prior to version 3.33.4, a server-side request forgery (SSRF) vulnerability exists in Budibase's REST datasource connector. The platform's SSRF protection mechanism (IP blacklist) is rendered completely ineffective because the…

  • CVE-2026-48150CriMay 27, 2026
    risk 0.52cvss 9.0epss 0.00

    Budibase is an open-source low-code platform. Prior to 3.39.0, /api/public/v1/roles/assign is guarded by the builderOrAdmin middleware, which passes any user who is a builder for the app id in the x-budibase-app-id header. That check admits both global builders and…

  • CVE-2026-41428CriApr 24, 2026
    risk 0.52cvss 9.1epss 0.00

    Budibase is an open-source low-code platform. Prior to 3.35.4, the authenticated middleware uses unanchored regular expressions to match public (no-auth) endpoint patterns against ctx.request.url. Since ctx.request.url in Koa includes the query string, an attacker can access any…

  • CVE-2026-35216CriApr 3, 2026
    risk 0.52cvss 9.0epss 0.12

    Budibase is an open-source low-code platform. Prior to version 3.33.4, an unauthenticated attacker can achieve Remote Code Execution (RCE) on the Budibase server by triggering an automation that contains a Bash step via the public webhook endpoint. No authentication is required…

  • CVE-2026-45716HigMay 27, 2026
    risk 0.50cvss 8.8epss 0.00

    Budibase is an open-source low-code platform. Prior to 3.38.1, the POST /api/global/users/onboard endpoint is protected by workspaceBuilderOrAdmin middleware, allowing any user with builder permissions to access it. When SMTP email is not configured (the default for self-hosted…

  • CVE-2026-35218HigApr 3, 2026
    risk 0.50cvss 8.7epss 0.00

    Budibase is an open-source low-code platform. Prior to version 3.32.5, Budibase's Builder Command Palette renders entity names (tables, views, queries, automations) using Svelte's {@html} directive without any sanitization. An authenticated user with Builder access can create a…

  • CVE-2026-35214HigApr 3, 2026
    risk 0.50cvss 8.7epss 0.01

    Budibase is an open-source low-code platform. Prior to version 3.33.4, the plugin file upload endpoint (POST /api/plugin/upload) passes the user-supplied filename directly to createTempFolder() without sanitizing path traversal sequences. An attacker with Global Builder…

  • CVE-2026-25044HigApr 3, 2026
    risk 0.50cvss 8.8epss 0.00

    Budibase is an open-source low-code platform. Prior to version 3.33.4, the bash automation step executes user-provided commands using execSync without proper sanitization or validation. User input is processed through processStringSync which allows template interpolation,…

  • CVE-2026-48153HigMay 27, 2026
    risk 0.48cvss 8.5epss 0.00

    Budibase is an open-source low-code platform. Prior to 3.39.0, fetchToken in the OAuth2 SDK makes a POST to a builder-supplied URL with plain node-fetch, skipping the blacklist.isBlacklisted check that every other outbound fetch path in the codebase uses. The Joi schema for the…

  • CVE-2026-48152HigMay 27, 2026
    risk 0.46cvss 8.1epss 0.00

    Budibase is an open-source low-code platform. Prior to 3.39.0, the single-datasource GET and PUT routes are guarded by generic TABLE READ, not by Builder/Admin permission or datasource-specific ownership/resource checks. The built-in Basic app user role maps to the WRITE…

  • CVE-2026-48149HigMay 27, 2026
    risk 0.46cvss 8.1epss 0.00

    Budibase is an open-source low-code platform. Prior to 3.39.0, the Budibase Text component renders markdown by assigning marked.parse(markdown) straight to innerHTML with no sanitizer (packages/bbui/src/Markdown/MarkdownViewer.svelte:22). Any column a builder binds to a Text…

  • CVE-2026-54353higJun 22, 2026
    risk 0.45cvss epss 0.00

    Summary Authenticated users with automation permissions can bypass Budibase's SSRF blacklist through DNS rebinding. The outbound fetch flow validates a hostname against the blacklist before the request is sent, but the actual socket connection later performs a separate DNS…

  • CVE-2026-54351higJun 22, 2026
    risk 0.45cvss epss 0.00

    ## Summary The webhook trigger endpoint in Budibase is publicly accessible and passes the full HTTP request body into automation execution parameters. A mass assignment vulnerability in `externalTrigger()` allows an attacker to overwrite the internal `appId` property by…

  • CVE-2026-50137higJun 22, 2026
    risk 0.45cvss epss 0.00

    ## Summary The Budibase server route `POST /api/attachments/:datasourceId/url` ([`packages/server/src/api/routes/static.ts`](https://github.com/Budibase/budibase/blob/56d2a984/packages/server/src/api/routes/static.ts)) is registered with **only** the `recaptcha` middleware.…

  • CVE-2026-48146HigMay 27, 2026
    risk 0.43cvss 7.7epss 0.00

    Budibase is an open-source low-code platform. Prior to 3.39.0, the OAuth2 token fetch function in packages/server/src/sdk/workspace/oauth2/utils.ts uses raw fetch(config.url) with no SSRF protection. The safe wrapper fetchWithBlacklist() exists in the same codebase and is used…

  • CVE-2026-46427HigMay 27, 2026
    risk 0.43cvss 7.7epss 0.00

    Budibase is an open-source low-code platform. Prior to 3.38.3, removeSecrets at packages/server/src/sdk/workspace/datasources/datasources.ts masks only datasource config fields whose schema type is DatasourceFieldType.PASSWORD. The Snowflake integration types its privateKey…

  • CVE-2026-48151HigMay 27, 2026
    risk 0.42cvss 7.5epss 0.00

    Budibase is an open-source low-code platform. Prior to 3.39.0, the webhook schema-building endpoint is registered under builderRoutes, but the generic authorization middleware skips authorization for all paths matching /api/webhooks/schema. As a result, an unauthenticated caller…

  • CVE-2026-46426HigMay 27, 2026
    risk 0.42cvss 7.6epss 0.00

    Budibase is an open-source low-code platform. Prior to 3.38.2, the file upload endpoint POST /api/attachments/process does not enforce active-content restrictions for authenticated users. The checks for dangerous file extensions are conditionally wrapped inside if (isPublicUser)…

  • CVE-2026-50136higJun 22, 2026
    risk 0.38cvss epss 0.00

    The application server exposes an unauthenticated endpoint that generates S3 `PutObject` presigned URLs using credentials stored in a workspace datasource. The route is protected only by the recaptcha middleware and does not require authentication, table permission, datasource…

  • CVE-2026-50132higJun 22, 2026
    risk 0.38cvss epss 0.00

    ## Title **Chat Identity Link Hijacking — Attacker Can Silently Map Their Slack/Discord Identity to Any Authenticated Budibase User's Account** ## Severity **High** — CVSS 3.1: AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:N = **7.3** ## Affected Product - **Product:** Budibase -…

  • CVE-2026-48147MedMay 27, 2026
    risk 0.35cvss 6.5epss 0.00

    Budibase is an open-source low-code platform. Prior to 3.35.4, the buildMatcherRegex() / matches() functions in packages/backend-core/src/middleware/matchers.ts route patterns are compiled into unanchored regular expressions and tested against ctx.request.url, which includes the…

  • CVE-2026-45719MedMay 27, 2026
    risk 0.35cvss 6.5epss 0.00

    Budibase is an open-source low-code platform. Prior to 3.38.1, the V1 Views API (POST /api/views) accepts a calculation parameter from the request body that is interpolated directly into a CouchDB reduce function definition without validation. Although an internal SCHEMA_MAP…

  • CVE-2026-45718MedMay 27, 2026
    risk 0.28cvss 5.4epss 0.00

    Budibase is an open-source low-code platform. Prior to 3.38.1, the row action trigger endpoint (POST /api/tables/:sourceId/actions/:actionId/trigger) fails to validate that the user-supplied rowId is within the scope of the view's row filters. A user with access to a filtered…

  • CVE-2026-48148MedMay 27, 2026
    risk 0.27cvss epss 0.00

    Budibase is an open-source low-code platform. Prior to 3.35.3, the VectorDB configuration endpoint in Budibase accepts a host parameter that undergoes no validation against internal IP ranges, reserved hostnames, or URL schemes. Any authenticated user with builder-level access…

  • CVE-2026-25043MedApr 3, 2026
    risk 0.27cvss 5.3epss 0.00

    Budibase is an open-source low-code platform. Prior to version 3.23.25, a business logic vulnerability exists in Budibase’s password reset functionality due to the absence of rate limiting, CAPTCHA, or abuse prevention mechanisms on the “Forgot Password” endpoint. An…

  • CVE-2026-48128MedMay 27, 2026
    risk 0.26cvss epss 0.00

    Budibase is an open-source low-code platform. Prior to 3.39.0, the executeQuery automation step in Budibase accepts a queryId from automation step inputs and passes it directly to the query execution controller without additional validation. When combined with a REST datasource…

  • CVE-2026-46424MedMay 27, 2026
    risk 0.20cvss 4.2epss 0.00

    Budibase is an open-source low-code platform. Prior to 3.38.2, the public API role unassignment endpoint (POST /api/public/v1/roles/unassign) updates user documents in CouchDB but does not invalidate the corresponding Redis user cache entries. Because the authentication…

  • CVE-2026-31816Mar 9, 2026
    risk 0.01cvss epss 0.15

    Budibase is a low code platform for creating internal tools, workflows, and admin panels. In 3.31.4 and earlier, the Budibase server's authorized() middleware that protects every server-side API endpoint can be completely bypassed by appending a webhook path pattern to the query…

  • CVE-2026-33226Mar 20, 2026
    risk 0.00cvss epss 0.00

    Budibase is a low code platform for creating internal tools, workflows, and admin panels. In versions from 3.30.6 and prior, the REST datasource query preview endpoint (POST /api/queries/preview) makes server-side HTTP requests to any URL supplied by the user in fields.path with…

  • CVE-2026-30240Mar 9, 2026
    risk 0.00cvss epss 0.00

    Budibase is a low code platform for creating internal tools, workflows, and admin panels. In 3.31.5 and earlier, a path traversal vulnerability in the PWA (Progressive Web App) ZIP processing endpoint (POST /api/pwa/process-zip) allows an authenticated user with builder…

  • CVE-2026-25045Mar 9, 2026
    risk 0.00cvss epss 0.00

    Budibase is a low code platform for creating internal tools, workflows, and admin panels. This issue is a combination of Vertical Privilege Escalation and IDOR (Insecure Direct Object Reference) due to missing server-side RBAC checks in the /api/global/users endpoints. A…

  • CVE-2026-25737Mar 9, 2026
    risk 0.00cvss epss 0.00

    Budibase is a low code platform for creating internal tools, workflows, and admin panels. In 3.24.0 and earlier, an arbitrary file upload vulnerability exists even though file extension restrictions are configured. The restriction is enforced only at the UI level. An attacker…

  • CVE-2026-25041Mar 9, 2026
    risk 0.00cvss epss 0.00

    Budibase is a low code platform for creating internal tools, workflows, and admin panels. In 3.23.22 and earlier, the PostgreSQL integration constructs shell commands using user-controlled configuration values (database name, host, password, etc.) without proper sanitization.…

  • CVE-2026-27702Feb 25, 2026
    risk 0.00cvss epss 0.00

    Budibase is a low code platform for creating internal tools, workflows, and admin panels. Prior to version 3.30.4, an unsafe `eval()` vulnerability in Budibase's view filtering implementation allows any authenticated user (including free tier accounts) to execute arbitrary…

  • CVE-2026-25040Jan 29, 2026
    risk 0.00cvss epss 0.01

    Budibase is a low code platform for creating internal tools, workflows, and admin panels. In versions up to and including 3.26.3, a Creator-level user, who normally has no UI permission to invite users, can manipulate API requests to invite new users with any role, including…

  • CVE-2023-29010Apr 6, 2023
    risk 0.00cvss epss 0.01

    Budibase is a low code platform for creating internal tools, workflows, and admin panels. Versions prior to 2.4.3 (07 March 2023) are vulnerable to Server-Side Request Forgery. This can lead to an attacker gaining access to a Budibase AWS secret key. Users of Budibase cloud need…

  • CVE-2022-3225Sep 16, 2022
    risk 0.00cvss epss 0.01

    Improper Control of Dynamically-Managed Code Resources in GitHub repository budibase/budibase prior to 1.3.20.