What is the CVSS score of CVE-2026-35218?

CVE-2026-35218 has a CVSS 3.1 base score of 8.7 (High). CVSS vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N. EPSS exploitation probability: 0.0%.

Which versions of Budibase are affected by CVE-2026-35218?

Budibase versions prior to 3.32.5 contain a stored cross-site scripting vulnerability in the Builder Command Palette that allows authenticated users with Builder role to inject malicious code through…. A patch is available.

How to fix or mitigate CVE-2026-35218?

Within 24 hours: Identify all Budibase instances and confirm current version via administration console. Within 7 days: Upgrade all affected Budibase deployments to version 3.32.5 or later; coordinate testing in non-production environments first. Within 30 days: Audit Builder role accounts for suspicious entity names (tables, views, queries, automations) created in the past 90 days; review audit logs for Command Palette invocations by multiple Builder accounts to identify potential exploitation.

Budibase CVE-2026-35218

EUVD-2026-18797 HIGH

Cross-site Scripting (XSS) (CWE-79)

2026-04-03 GitHub_M

XSS Budibase

8.7

CVSS 3.1 · GitHub Advisory

Severity by source

GitHub Advisory PRIMARY

8.7 HIGH

AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N

Attack Vector

Network

Attack Complexity

Low

Privileges Required

Low

User Interaction

Required

Scope

Changed

Confidentiality

High

Integrity

High

Availability

None

Lifecycle Timeline

Analysis Updated

Apr 16, 2026 - 06:07 EUVD-patch-fix

executive_summary

Re-analysis Queued

Apr 16, 2026 - 05:29 backfill_euvd_patch

patch_released

Patch available

Apr 16, 2026 - 05:29 EUVD

3.32.5

EUVD ID Assigned

Apr 03, 2026 - 16:00 euvd

EUVD-2026-18797

Analysis Generated

Apr 03, 2026 - 16:00 vuln.today

CVE Published

Apr 03, 2026 - 15:47 nvd

HIGH 8.7

DescriptionGitHub Advisory

Budibase is an open-source low-code platform. Prior to version 3.32.5, Budibase's Builder Command Palette renders entity names (tables, views, queries, automations) using Svelte's {@html} directive without any sanitization. An authenticated user with Builder access can create a table, automation, view, or query whose name contains an HTML payload (e.g. <img src=x onerror=alert(document.domain)>). When any Builder-role user in the same workspace opens the Command Palette (Ctrl+K), the payload executes in their browser, stealing their session cookie and enabling full account takeover. This issue has been patched in version 3.32.5.

AnalysisAI

Stored cross-site scripting (XSS) in Budibase's Builder Command Palette (versions prior to 3.32.5) enables authenticated Builder users to inject malicious HTML payloads via entity names (tables, views, queries, automations), achieving session hijacking and account takeover when other Builder-role users invoke the Command Palette. CVSS 8.7 with changed scope reflects the cross-user attack vector. …

Unlock full vulnerability intelligence

Risk assessment & exploitation conditions
Attack chain visualization
Remediation with exact patch versions
Threat intelligence from 22 sources
Personal watchlist & email alerts

Continue with Google Continue with GitHub

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access

Create table with HTML payload in name

Delivery

Victim opens Command Palette in Budibase Builder

Exploit

Svelte renders unsanitized payload

Execution

JavaScript executes stealing session cookie

Impact

Attacker hijacks victim account