EUVD-2026-18754
GHSA-gjw9-34gf-rp6m
CVSS Vector
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
4Tags
Description
Budibase is an open-source low-code platform. Prior to version 3.33.4, the bash automation step executes user-provided commands using execSync without proper sanitization or validation. User input is processed through processStringSync which allows template interpolation, potentially allowing arbitrary command execution. This issue has been patched in version 3.33.4.
Analysis
Remote code execution in Budibase low-code platform versions prior to 3.33.4 enables authenticated attackers to execute arbitrary system commands through the bash automation step feature. The vulnerability stems from unsanitized user input processed via template interpolation in execSync calls, allowing command injection with low attack complexity. …
Sign in for full analysis, threat intelligence, and remediation guidance.
Remediation
24 hours: Inventory all Budibase deployments and identify instances running versions prior to 3.33.4; document users with automation step privileges. 7 days: Upgrade all Budibase instances to version 3.33.4 or later; if upgrade is not immediately feasible, restrict automation step access to trusted administrator accounts only and disable bash automation steps where possible. …
Sign in for detailed remediation steps.
Priority Score
Share
External POC / Exploit Code
Leaving vuln.today