Severity by source
AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N
Primary rating from GitHub Advisory · only source for this CVE.
CVSS VectorGitHub Advisory
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N
Lifecycle Timeline
2DescriptionGitHub Advisory
Budibase is an open-source low-code platform. Prior to 3.39.0, the Budibase Text component renders markdown by assigning marked.parse(markdown) straight to innerHTML with no sanitizer (packages/bbui/src/Markdown/MarkdownViewer.svelte:22). Any column a builder binds to a Text component in Markdown mode is a stored-XSS sink writable by every BASIC app user with WRITE on the underlying table. This vulnerability is fixed in 3.39.0.
AnalysisAI
Stored cross-site scripting in Budibase before 3.39.0 lets any low-privileged BASIC app user with WRITE access to a table inject persistent JavaScript that executes in the browser of anyone who later views the data. The flaw lives in the Text component's Markdown rendering, where untrusted column values are converted to HTML and written directly to the DOM without sanitization. No public exploit identified at time of analysis, and it is not listed in CISA KEV; the issue is fixed in 3.39.0.
Technical ContextAI
Budibase is an open-source low-code platform for building internal tools and apps over a backing datastore. The vulnerability is a CWE-79 (Improper Neutralization of Input During Web Page Generation) stored XSS in packages/bbui/src/Markdown/MarkdownViewer.svelte, where the output of marked.parse(markdown) is assigned to innerHTML (Svelte's {@html} sink) with no HTML sanitizer such as DOMPurify in the path. The marked library faithfully passes raw HTML embedded in Markdown through to its output, so a payload like an <img onerror> tag or inline <script> survives parsing and is rendered as live markup. Because Svelte's normal auto-escaping is deliberately bypassed by the innerHTML binding, any table column a builder binds to a Text component in Markdown mode becomes an XSS sink that stores the payload server-side until rendered.
RemediationAI
Vendor-released patch: 3.39.0 - upgrade Budibase to 3.39.0 or later, which adds sanitization to the Markdown rendering path; see the advisory at https://github.com/Budibase/budibase/security/advisories/GHSA-57p7-9h9w-xqpw for fix details. If immediate upgrade is not possible, the most direct compensating controls are to avoid configuring Text components in Markdown mode against any column that lower-trust users can write, switching those components to plain-text rendering (trade-off: loses Markdown formatting for legitimate content), and to tighten table permissions so untrusted BASIC users do not hold WRITE on columns surfaced through Markdown Text components (trade-off: may break workflows that depend on user-supplied data entry). A content-security-policy that forbids inline script execution can reduce impact of any residual injection but will not block all DOM-based XSS vectors and may interfere with the app's own inline scripts.
Same weakness CWE-79 – Cross-site Scripting (XSS)
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-32591