What is the CVSS score of CVE-2026-27702?

CVE-2026-27702 has a CVSS 3.1 base score of 9.9 (Critical). CVSS vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:L. EPSS exploitation probability: 0.1%.

Which versions of AWS are affected by CVE-2026-27702?

A critical vulnerability (CVSS 9.9) in Budibase affects all deployments of this low-code platform used for internal tools and admin panels.. A patch is available.

Is there a public PoC exploit available for CVE-2026-27702?

Yes, a public proof-of-concept exploit is available for CVE-2026-27702. Prioritise patching immediately. EPSS: 0.1%.

AWS CVE-2026-27702

CRITICAL

Improper Input Validation (CWE-20)

2026-02-25 security-advisories@github.com

GHSA-rvhr-26g4-p2r8

AWS Budibase

9.9

CVSS 3.1

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:L

Attack Vector

Network

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Changed

Confidentiality

High

Integrity

High

Availability

Low

Lifecycle Timeline

Analysis Generated

Mar 12, 2026 - 21:55 vuln.today

PoC Detected

Mar 02, 2026 - 19:31 vuln.today

Public exploit code

Patch released

Mar 02, 2026 - 19:31 nvd

Patch available

CVE Published

Feb 25, 2026 - 16:23 nvd

CRITICAL 9.9

DescriptionNVD

Budibase is a low code platform for creating internal tools, workflows, and admin panels. Prior to version 3.30.4, an unsafe eval() vulnerability in Budibase's view filtering implementation allows any authenticated user (including free tier accounts) to execute arbitrary JavaScript code on the server. This vulnerability ONLY affects Budibase Cloud (SaaS) - self-hosted deployments use native CouchDB views and are not vulnerable. The vulnerability exists in packages/server/src/db/inMemoryView.ts where user-controlled view map functions are directly evaluated without sanitization. The primary impact comes from what lives inside the pod's environment: the app-service pod runs with secrets baked into its environment variables, including INTERNAL_API_KEY, JWT_SECRET, CouchDB admin credentials, AWS keys, and more. Using the extracted CouchDB credentials, we verified direct database access, enumerated all tenant databases, and confirmed that user records (email addresses) are readable. Version 3.30.4 contains a patch.

AnalysisAI

Unauthorized data access in Budibase low-code platform before 3.30.4 allows unauthenticated users to manipulate internal state. PoC and patch available.

RemediationAI

Within 24 hours: Identify all Budibase instances in your environment and assess which are internet-facing or contain sensitive data. Within 7 days: Apply the available vendor patch to all affected Budibase deployments in development, staging, and production environments, validating functionality after each update. …

Analysis

Detailed AI-generated intelligence summary covering attack vector, impact assessment, affected versions, remediation steps, and indicators of compromise.

POChttps://••••••••••.com/exploit

PATCHhttps://••••••••••.com/patch

ADVISORYhttps://••••••••••.com/advisory

Full analysis requires sign-in

Get intelligence summaries, risk assessment, exploit details, threat intel, and remediation guidance.

CVE-2026-27702 vulnerability details – vuln.today

Back