What is the CVSS score of CVE-2026-25043?

CVE-2026-25043 has a CVSS 3.1 base score of 5.3 (Medium). CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L. EPSS exploitation probability: 0.0%.

Is there a patch available for CVE-2026-25043?

Yes, a patch is available for CVE-2026-25043. Update the affected software to the latest version immediately.

Budibase CVE-2026-25043

EUVD-2026-18752 MEDIUM

Allocation of Resources Without Limits or Throttling (CWE-770)

2026-04-03 GitHub_M

Denial Of Service Budibase

5.3

CVSS 3.1 · GitHub Advisory

Severity by source

GitHub Advisory PRIMARY

5.3 MEDIUM

AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

None

Integrity

None

Availability

Low

Lifecycle Timeline

Patch available

Apr 16, 2026 - 05:29 EUVD

3.23.25

EUVD ID Assigned

Apr 03, 2026 - 16:00 euvd

EUVD-2026-18752

Analysis Generated

Apr 03, 2026 - 16:00 vuln.today

CVE Published

Apr 03, 2026 - 15:35 nvd

MEDIUM 5.3

DescriptionGitHub Advisory

Budibase is an open-source low-code platform. Prior to version 3.23.25, a business logic vulnerability exists in Budibase’s password reset functionality due to the absence of rate limiting, CAPTCHA, or abuse prevention mechanisms on the “Forgot Password” endpoint. An unauthenticated attacker can repeatedly trigger password reset requests for the same email address, resulting in hundreds of password reset emails being sent in a short time window. This enables large-scale email flooding, user harassment, denial of service (DoS) against user inboxes, and potential financial and reputational impact for Budibase. This issue has been patched in version 3.23.25.

AnalysisAI

Email flooding denial of service in Budibase prior to version 3.23.25 allows unauthenticated remote attackers to overwhelm user inboxes by repeatedly triggering password reset requests without rate limiting, CAPTCHA, or abuse prevention controls. An attacker can send hundreds of password reset emails to a target address in a short time window, causing user harassment, inbox denial of service, and potential reputational damage. …

Unlock full vulnerability intelligence

Risk assessment & exploitation conditions
Attack chain visualization
Remediation with exact patch versions
Threat intelligence from 22 sources
Personal watchlist & email alerts

Continue with Google Continue with GitHub

Free forever · No credit card required

Vulnerability AssessmentAI

Risk Assessment	The CVSS score of 5.3 reflects the limited direct technical impact-this is not remote code execution or data compromise-but the real-world risk is significant for affected deployments. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario	An attacker obtains the email address of a Budibase user (either a target individual or mass-enumerates addresses) and uses a simple script to send repeated requests to the unauthenticated 'Forgot Password' endpoint with that email. Within seconds, the target user's inbox receives dozens or hundreds of password reset emails, creating spam, potential phishing confusion (if mixed with legitimate reset messages), and user disruption. …
Remediation	Upgrade Budibase to version 3.23.25 or later immediately. … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

CVE-2026-25043 vulnerability details – vuln.today

Back

Budibase CVE-2026-25043

Severity by source

CVSS VectorGitHub Advisory

Lifecycle Timeline

DescriptionGitHub Advisory

AnalysisAI

Unlock full vulnerability intelligence

Vulnerability AssessmentAI

Share

External POC / Exploit Code