budibase
Cloud & SaaScommercial
Top products
Latest CVEs
The 15 most recently published vulnerabilities affecting budibase.
- CVE-2026-48147Budibase: Unanchored Regex in `matchers.ts` Allows CSRF Bypass via Query String Injection in Budibase Worker6.5
- CVE-2026-45548Budibase: SSRF in AI Extract File Automation Step via Missing IP Blacklist Validation7.7
- CVE-2026-45715Budibase: SSRF Bypass via HTTP Redirect in REST Datasource Integration7.7
- CVE-2026-45716Budibase: Builder-to-Admin Privilege Escalation via onboardUsers Endpoint Without SMTP Configuration8.8
- CVE-2026-45717Budibase: `PUT /api/datasources/:datasourceId` is protected only by `TABLE/READ` permission instead of builder access, allowing any authenticated app user to overwrite datasource connection parameters including host, port, and URL.8.8
- CVE-2026-45718Budibase: Row Action Trigger Bypasses View Row Filter Security Boundary Allowing Action on Out-of-Scope Rows5.4
- CVE-2026-45719Budibase: CouchDB Reduce Injection via Unsanitized Calculation Parameter in V1 Views API6.5
- CVE-2026-46425Budibase: SCIM endpoints lack role-based authorization, BASIC users CRUD tenant users9.9
- CVE-2026-46424Budibase: Missing Cache Invalidation on Public API Role Unassignment Allows Revoked Users to Retain Privileges for Up to 1 Hour4.2
- CVE-2026-46426Budibase: Unrestricted Upload of File with Dangerous Type7.6
- CVE-2026-46427Budibase: Snowflake private key returned unmasked from datasource API to BASIC users7.7
- CVE-2026-48146Budibase: SSRF via OAuth2 Config Validation — Missing fetchWithBlacklist Protection7.7
- CVE-2026-48149Budibase: Stored XSS in Text component: BASIC users execute JS in admin session via MarkdownViewer innerHTML + CDN+srcdoc CSP bypass8.1
- CVE-2026-48150Budibase: Workspace-scoped builder escalates to global admin via /api/public/v1/roles/assign9.0
- CVE-2026-48151Budibase: Webhook schema endpoint authorization bypass allows unauthenticated mutation of webhook and automation schema7.5