Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1310 CNY

100%
Buy Us a Coffee

budibase — Vulnerabilities & Security Advisories 38

Browse all 38 CVE security advisories affecting budibase. AI-powered Chinese analysis, POCs, and references for each vulnerability.

Budibase serves as a low-code platform enabling rapid development of internal tools and business applications. Historically, the platform has been susceptible to multiple critical vulnerabilities, including remote code execution, cross-site scripting, and privilege escalation flaws, contributing to its 18 recorded CVEs. Security researchers have identified authentication bypasses and insecure default configurations as recurring issues. While no major public security incidents have been widely documented, the significant CVE count suggests potential risks for organizations implementing Budibase without rigorous hardening. Users should prioritize applying security patches and implementing additional safeguards when deploying this platform for business-critical applications.

Found 1 results / 38Clear Filters
Top products by budibase: budibase budibase/budibase
High2026-05-28
Missing Cache Invalidation on Public API Role Unassignment Allows Revoked Users to Retain Privileges for Up to 1 Hour ·
High2026-05-28
SSRF via trivial `.tar.gz` substring bypass in Plugin URL upload (`/api/plugin`) · Advisory · Budibase/budibase · GitHub
HighCVE-2024-47152026-05-28
SSRF Bypass via HTTP Redirect in REST Datasource Integration · Advisory · Budibase/budibase · GitHub
CriticalCVE-2026-45162026-05-28
Builder-to-Admin Privilege Escalation via onboardUsers Endpoint Without SMTP Configuration · Advisory · Budibase/budibas
MediumCVE-2026-457192026-05-28
CouchDB Reduce Injection via Unsanitized Calculation Parameter in V1 Views API · Advisory · Budibase/budibase · GitHub
Medium2026-05-28
Row Action Trigger Bypasses View Row Filter Security Boundary Allowing Action on Out-of-Scope Rows · Advisory · Budibase
HighCVE-2024-457172026-05-28
`PUT /api/datasources/:datasourceId` is protected only by `TABLE/READ` permission instead of builder access, allowing an
High2026-05-28
Stored XSS in Text component: BASIC users execute JS in admin session via MarkdownViewer innerHTML + CDN+srcdoc CSP bypa
High2026-05-28
SSRF in AI Extract File Automation Step via Missing IP Blacklist Validation · Advisory · Budibase/budibase · GitHub
CriticalGHSA-g939-332f-6b992026-05-28
Workspace-scoped builder escalates to global admin via /api/public/v1/roles/assign · Advisory · Budibase/budibase · GitH
High2026-05-28
SSRF via OAuth2 Config Validation — Missing fetchWithBlacklist Protection · Advisory · Budibase/budibase · GitHub
Medium2026-05-28
SSRF via User-Controlled queryId in Automation Execute Query Step · Advisory · Budibase/budibase · GitHub
CriticalCVE-2024-481512026-05-28
Webhook schema endpoint authorization bypass allows unauthenticated mutation of webhook and automation schema · Advisory
HighCVE-2024-481522026-05-28
Basic app users can exfiltrate stored REST datasource auth by rewriting datasource base URL · Advisory · Budibase/budiba
HighCVE-2026-318162026-05-28
Unanchored Regex in `matchers.ts` Allows CSRF Bypass via Query String Injection in Budibase Worker · Advisory · Budibase
High2026-05-28
SSRF via OAuth2 token endpoint URL reaches internal hosts and cloud metadata · Advisory · Budibase/budibase · GitHub
Unknown2026-05-28
Unvalidated VectorDB Host Parameter Enables SSRF · Advisory · Budibase/budibase · GitHub
High2026-05-28
Unrestricted Upload of File with Dangerous Type · Advisory · Budibase/budibase · GitHub
HighCVE-2024-44252026-05-28
SCIM endpoints lack role-based authorization, BASIC users CRUD tenant users · Advisory · Budibase/budibase · GitHub
High2026-05-28
Snowflake private key returned unmasked from datasource API to BASIC users · Advisory · Budibase/budibase · GitHub

Showing up to 20 recent security advisories. View all →

This page lists every published CVE security advisory associated with budibase. Each entry links to a detailed page with CVSS scoring, CWE classification, affected products and references. AI-generated Chinese analysis is provided for fast triage.