Skip to main content

Budibase EUVD-2026-18754

| CVE-2026-25044 HIGH
OS Command Injection (CWE-78)
2026-04-03 GitHub_M GHSA-gjw9-34gf-rp6m
Command Injection Budibase
8.7
CVSS 4.0 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
8.7 HIGH
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
X

Lifecycle Timeline

4
Patch released
Apr 04, 2026 - 02:30 nvd
Patch available
EUVD ID Assigned
Apr 03, 2026 - 16:00 euvd
EUVD-2026-18754
Analysis Generated
Apr 03, 2026 - 16:00 vuln.today
CVE Published
Apr 03, 2026 - 15:38 nvd
HIGH 8.7

DescriptionGitHub Advisory

Budibase is an open-source low-code platform. Prior to version 3.33.4, the bash automation step executes user-provided commands using execSync without proper sanitization or validation. User input is processed through processStringSync which allows template interpolation, potentially allowing arbitrary command execution. This issue has been patched in version 3.33.4.

AnalysisAI

Remote code execution in Budibase low-code platform versions prior to 3.33.4 enables authenticated attackers to execute arbitrary system commands through the bash automation step feature. The vulnerability stems from unsanitized user input processed via template interpolation in execSync calls, allowing command injection with low attack complexity. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts
Continue with Google Continue with GitHub

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Authenticate to Budibase platform
Delivery
Create automation with bash step
Exploit
Inject command via template interpolation
Execution
Execute arbitrary commands via execSync
Impact
Compromise system with application privileges
Sign in to reveal

Vulnerability AssessmentAI

Exploitation Requires authenticated access to Budibase versions before 3.33.4. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment This vulnerability presents high real-world risk for Budibase deployments despite requiring authentication (PR:L). … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An authenticated developer or power user with automation workflow creation privileges logs into their Budibase instance and creates a new automation workflow. In the bash automation step configuration, they inject a malicious template expression containing shell metacharacters and command separators, such as embedding reverse shell commands or data exfiltration scripts within what appears to be legitimate template syntax. …
Remediation Upgrade immediately to Budibase version 3.33.4 or later, which implements proper input sanitization and validation for bash automation steps. … Detailed patch versions, workarounds, and compensating controls in full report.
Sign in to read full assessment

Recommended ActionAI

24 hours: Inventory all Budibase deployments and identify instances running versions prior to 3.33.4; document users with automation step privileges. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

EUVD-2026-18754 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy