Budibase
Monthly
Session hijacking via JavaScript-readable authentication cookies in Budibase versions prior to 3.35.10 allows any Cross-Site Scripting (XSS) vulnerability to escalate into full account takeover. The budibase:auth cookie containing the JWT session token is set with httpOnly: false, enabling JavaScript to read it via document.cookie. Combined with confirmed prior XSS vulnerabilities in Budibase (GHSA-gp5x-2v54-v2q5), attackers can exfiltrate session tokens and gain persistent access to victim accounts. The cookie also lacks secure and sameSite flags, exposing tokens over plaintext HTTP. No public exploit identified at time of analysis. EPSS data not available. Patch available in version 3.35.10.
Authentication bypass in Budibase low-code platform (versions prior to 3.35.4) allows remote unauthenticated attackers to access any protected API endpoint by appending a public endpoint path as a query parameter. The vulnerability stems from unanchored regular expressions in authentication middleware that match against the full request URL including query strings, enabling attackers to craft requests like 'POST /api/global/users/search?x=/api/system/status' to bypass all authentication checks. CVSS score of 9.1 (Critical) reflects network-based remote exploitation with no authentication or user interaction required, resulting in high confidentiality impact and high availability impact. No public exploit code or active exploitation has been identified at time of analysis.
Stored cross-site scripting (XSS) in Budibase's Builder Command Palette (versions prior to 3.32.5) enables authenticated Builder users to inject malicious HTML payloads via entity names (tables, views, queries, automations), achieving session hijacking and account takeover when other Builder-role users invoke the Command Palette. CVSS 8.7 with changed scope reflects the cross-user attack vector. No public exploit identified at time of analysis, though the attack technique is straightforward for authenticated insiders. EPSS data unavailable; patch available in version 3.32.5.
Remote code execution in Budibase versions prior to 3.33.4 allows unauthenticated attackers to execute arbitrary Bash commands with root privileges inside the application container by exploiting public webhook endpoints that trigger automation workflows. The vulnerability stems from improper neutralization of special elements in OS commands (CWE-78) and requires no authentication, though the CVSS complexity is rated high (AC:H). A vendor-released patch is available in version 3.33.4, with the fix publicly documented in GitHub pull request #18238 and commit f0c731b4.
Server-Side Request Forgery (SSRF) in Budibase's REST datasource connector (versions prior to 3.33.4) allows authenticated users with low privileges to bypass IP blacklist protections and access internal network resources. The vulnerability stems from a configuration flaw where the BLACKLIST_IPS environment variable is not set by default in official deployments, causing all blacklist checks to fail silently. With CVSS 9.6 (Critical) due to scope change and high confidentiality/integrity impact, this represents a significant risk for organizations using Budibase in cloud or containerized environments. No active exploitation confirmed (not in CISA KEV), but publicly available exploit code exists via the patch disclosure.
Remote code execution in Budibase low-code platform versions prior to 3.33.4 enables authenticated attackers to execute arbitrary system commands through the bash automation step feature. The vulnerability stems from unsanitized user input processed via template interpolation in execSync calls, allowing command injection with low attack complexity. No public exploit identified at time of analysis, though the technical details disclosed in the GitHub Security Advisory provide a clear exploitation path for authenticated users with automation privileges.
Email flooding denial of service in Budibase prior to version 3.23.25 allows unauthenticated remote attackers to overwhelm user inboxes by repeatedly triggering password reset requests without rate limiting, CAPTCHA, or abuse prevention controls. An attacker can send hundreds of password reset emails to a target address in a short time window, causing user harassment, inbox denial of service, and potential reputational damage. This vulnerability has been patched in version 3.23.25.
Authorization bypass in Budibase 3.31.4 and earlier. The authorized() middleware can be bypassed, enabling injection attacks. PoC available.
Path traversal in Budibase low-code platform 3.31.5 and earlier allows attackers to read arbitrary files through the application builder.
Arbitrary file upload in Budibase 3.24.0 and earlier allows authenticated attackers to bypass UI-level file extension restrictions and upload malicious files by directly manipulating requests. An attacker with valid credentials can circumvent the intended upload controls to potentially execute arbitrary code or compromise system integrity. No patch is currently available for this vulnerability.
Budibase suffers from missing server-side role validation in user management APIs, allowing Creator-level users to escalate privileges and perform unauthorized actions reserved for Tenant Admins and Owners. An authenticated attacker with Creator permissions can promote themselves to Tenant Admin, demote existing administrators, modify owner accounts, and manipulate organizational orders, resulting in complete tenant compromise. No patch is currently available for this high-severity vulnerability.
Command injection in Budibase 3.23.22 and earlier allows authenticated attackers with high privileges to execute arbitrary system commands by injecting malicious values into PostgreSQL connection parameters that are unsanitized in shell command construction. An attacker with administrative access can exploit this vulnerability to gain complete control over the underlying server hosting the Budibase instance. No patch is currently available for this vulnerability.
Unauthorized data access in Budibase low-code platform before 3.30.4 allows unauthenticated users to manipulate internal state. PoC and patch available.
Budibase is a low code platform for creating internal tools, workflows, and admin panels. [CVSS 8.8 HIGH]
Session hijacking via JavaScript-readable authentication cookies in Budibase versions prior to 3.35.10 allows any Cross-Site Scripting (XSS) vulnerability to escalate into full account takeover. The budibase:auth cookie containing the JWT session token is set with httpOnly: false, enabling JavaScript to read it via document.cookie. Combined with confirmed prior XSS vulnerabilities in Budibase (GHSA-gp5x-2v54-v2q5), attackers can exfiltrate session tokens and gain persistent access to victim accounts. The cookie also lacks secure and sameSite flags, exposing tokens over plaintext HTTP. No public exploit identified at time of analysis. EPSS data not available. Patch available in version 3.35.10.
Authentication bypass in Budibase low-code platform (versions prior to 3.35.4) allows remote unauthenticated attackers to access any protected API endpoint by appending a public endpoint path as a query parameter. The vulnerability stems from unanchored regular expressions in authentication middleware that match against the full request URL including query strings, enabling attackers to craft requests like 'POST /api/global/users/search?x=/api/system/status' to bypass all authentication checks. CVSS score of 9.1 (Critical) reflects network-based remote exploitation with no authentication or user interaction required, resulting in high confidentiality impact and high availability impact. No public exploit code or active exploitation has been identified at time of analysis.
Stored cross-site scripting (XSS) in Budibase's Builder Command Palette (versions prior to 3.32.5) enables authenticated Builder users to inject malicious HTML payloads via entity names (tables, views, queries, automations), achieving session hijacking and account takeover when other Builder-role users invoke the Command Palette. CVSS 8.7 with changed scope reflects the cross-user attack vector. No public exploit identified at time of analysis, though the attack technique is straightforward for authenticated insiders. EPSS data unavailable; patch available in version 3.32.5.
Remote code execution in Budibase versions prior to 3.33.4 allows unauthenticated attackers to execute arbitrary Bash commands with root privileges inside the application container by exploiting public webhook endpoints that trigger automation workflows. The vulnerability stems from improper neutralization of special elements in OS commands (CWE-78) and requires no authentication, though the CVSS complexity is rated high (AC:H). A vendor-released patch is available in version 3.33.4, with the fix publicly documented in GitHub pull request #18238 and commit f0c731b4.
Server-Side Request Forgery (SSRF) in Budibase's REST datasource connector (versions prior to 3.33.4) allows authenticated users with low privileges to bypass IP blacklist protections and access internal network resources. The vulnerability stems from a configuration flaw where the BLACKLIST_IPS environment variable is not set by default in official deployments, causing all blacklist checks to fail silently. With CVSS 9.6 (Critical) due to scope change and high confidentiality/integrity impact, this represents a significant risk for organizations using Budibase in cloud or containerized environments. No active exploitation confirmed (not in CISA KEV), but publicly available exploit code exists via the patch disclosure.
Remote code execution in Budibase low-code platform versions prior to 3.33.4 enables authenticated attackers to execute arbitrary system commands through the bash automation step feature. The vulnerability stems from unsanitized user input processed via template interpolation in execSync calls, allowing command injection with low attack complexity. No public exploit identified at time of analysis, though the technical details disclosed in the GitHub Security Advisory provide a clear exploitation path for authenticated users with automation privileges.
Email flooding denial of service in Budibase prior to version 3.23.25 allows unauthenticated remote attackers to overwhelm user inboxes by repeatedly triggering password reset requests without rate limiting, CAPTCHA, or abuse prevention controls. An attacker can send hundreds of password reset emails to a target address in a short time window, causing user harassment, inbox denial of service, and potential reputational damage. This vulnerability has been patched in version 3.23.25.
Authorization bypass in Budibase 3.31.4 and earlier. The authorized() middleware can be bypassed, enabling injection attacks. PoC available.
Path traversal in Budibase low-code platform 3.31.5 and earlier allows attackers to read arbitrary files through the application builder.
Arbitrary file upload in Budibase 3.24.0 and earlier allows authenticated attackers to bypass UI-level file extension restrictions and upload malicious files by directly manipulating requests. An attacker with valid credentials can circumvent the intended upload controls to potentially execute arbitrary code or compromise system integrity. No patch is currently available for this vulnerability.
Budibase suffers from missing server-side role validation in user management APIs, allowing Creator-level users to escalate privileges and perform unauthorized actions reserved for Tenant Admins and Owners. An authenticated attacker with Creator permissions can promote themselves to Tenant Admin, demote existing administrators, modify owner accounts, and manipulate organizational orders, resulting in complete tenant compromise. No patch is currently available for this high-severity vulnerability.
Command injection in Budibase 3.23.22 and earlier allows authenticated attackers with high privileges to execute arbitrary system commands by injecting malicious values into PostgreSQL connection parameters that are unsanitized in shell command construction. An attacker with administrative access can exploit this vulnerability to gain complete control over the underlying server hosting the Budibase instance. No patch is currently available for this vulnerability.
Unauthorized data access in Budibase low-code platform before 3.30.4 allows unauthenticated users to manipulate internal state. PoC and patch available.
Budibase is a low code platform for creating internal tools, workflows, and admin panels. [CVSS 8.8 HIGH]