Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

Budibase — Vulnerabilities & Security Advisories 18

Browse all 18 CVE security advisories affecting Budibase. AI-powered Chinese analysis, POCs, and references for each vulnerability.

Budibase serves as a low-code platform enabling rapid development of internal tools and business applications. Historically, the platform has been susceptible to multiple critical vulnerabilities, including remote code execution, cross-site scripting, and privilege escalation flaws, contributing to its 18 recorded CVEs. Security researchers have identified authentication bypasses and insecure default configurations as recurring issues. While no major public security incidents have been widely documented, the significant CVE count suggests potential risks for organizations implementing Budibase without rigorous hardening. Users should prioritize applying security patches and implementing additional safeguards when deploying this platform for business-critical applications.

Top products by Budibase: budibase budibase/budibase
CVE IDTitleCVSSSeverityPublished
CVE-2026-42239 Budibase auth session cookies are set with httpOnly:false — any XSS can lead to full account takeover — budibaseCWE-1004 8.1 High2026-05-07
CVE-2026-41428 Budibase: Authentication Bypass via Unanchored Regex in Public Endpoint Matcher — Unauthenticated Access to Protected Endpoints — budibaseCWE-287 9.1 Critical2026-04-24
CVE-2026-35218 Budibase: Stored XSS via unsanitized entity names rendered with {@html} in Builder Command Palette — budibaseCWE-79 8.7 High2026-04-03
CVE-2026-35216 Budibase: Unauthenticated Remote Code Execution via Webhook Trigger and Bash Automation Step — budibaseCWE-78 9.1 Critical2026-04-03
CVE-2026-35214 Budibase: Path traversal in plugin file upload enables arbitrary directory deletion and file write — budibaseCWE-22 8.7 High2026-04-03
CVE-2026-31818 Budibase: Server-Side Request Forgery via REST Connector with Empty Default Blacklist — budibaseCWE-918 9.6 Critical2026-04-03
CVE-2026-25044 Budibase: Command Injection in Bash Automation Step — budibaseCWE-78 8.8AIHighAI2026-04-03
CVE-2026-25043 Budibase: Unauthenticated Password Reset Endpoint Lacks Rate Limiting, Enabling Email Flooding — budibaseCWE-770 5.3 Medium2026-04-03
CVE-2026-33226 Budibase Unrestricted Server-Side Request Forgery (SSRF) via REST Datasource Query Preview — budibaseCWE-918 8.7 High2026-03-20
CVE-2026-31816 Budibase Universal Auth Bypass via Webhook Query Param Injection — budibaseCWE-74 9.1 Critical2026-03-09
CVE-2026-30240 Budibase PWA ZIP Upload Path Traversal Allows Reading Arbitrary Server Files Including All Environment Secrets — budibaseCWE-22 9.6 Critical2026-03-09
CVE-2026-25045 Budibase Critical Privilege Escalation & IDOR via Missing RBAC on User Role Management (Creator-Role) — budibaseCWE-862 8.8AIHighAI2026-03-09
CVE-2026-25737 Budibase Arbitrary File Upload Leading to Multiple Critical Vulnerabilities (SSRF, Stored XSS) — budibaseCWE-602 8.9 High2026-03-09
CVE-2026-25041 Budibase has a Command Injection in PostgreSQL Dump Command — budibaseCWE-78 9.8AICriticalAI2026-03-09
CVE-2026-27702 Budibase Vulnerable to Remote Code Execution via Unsafe eval() in View Filter Map Function (Budibase Cloud) — budibaseCWE-20 9.9 Critical2026-02-25
CVE-2026-25040 Budibase Vulnerable to Privilege Escalation via API Abuse – Creator Can Invite Users with Admin/Any Role — budibaseCWE-863 8.8AIHighAI2026-01-29
CVE-2023-29010 BudiBase Server-Side Request Forgery vulnerability — budibaseCWE-918 6.5 Medium2023-04-06
CVE-2022-3225 Improper Control of Dynamically-Managed Code Resources in budibase/budibase — budibase/budibaseCWE-913 8.8 High2022-09-16

This page lists every published CVE security advisory associated with Budibase. Each entry links to a detailed page with CVSS scoring, CWE classification, affected products and references. AI-generated Chinese analysis is provided for fast triage.