budibase
npm4 known CVEs affecting this package
Aggregated from OSV, GitHub Security Advisories, NVD, and vendor advisories. Each CVE links to its full detail page with vendor advisories, patches, fixed versions, and remediation guidance.
CVEs affecting budibasepage 1 of 1
- CVE-2026-45061HIGHCVSS 7.7EG 7.7✓ Fixed in 3.35.102026-05-27
Budibase is an open-source low-code platform. Prior to 3.35.10, the Plugin URL upload endpoint (POST /api/plugin) validates the submitted URL with a single substring check: url.includes(".tar.gz"). Any URL containing .tar.gz anywhere in th…
- CVE-2026-45718MEDIUMCVSS 5.4EG 5.4✓ Fixed in 3.38.12026-05-18
Budibase is an open-source low-code platform. Prior to 3.38.1, the row action trigger endpoint (POST /api/tables/:sourceId/actions/:actionId/trigger) fails to validate that the user-supplied rowId is within the scope of the view's row filt…
- CVE-2026-46426HIGHCVSS 7.6EG 7.6✓ Fixed in 3.38.22026-05-19
Budibase is an open-source low-code platform. Prior to 3.38.2, the file upload endpoint POST /api/attachments/process does not enforce active-content restrictions for authenticated users. The checks for dangerous file extensions are condit…
- CVE-2026-48128MEDIUMCVSS 5.1EG 5.1✓ Fixed in 3.39.02026-05-27
Budibase is an open-source low-code platform. Prior to 3.39.0, the executeQuery automation step in Budibase accepts a queryId from automation step inputs and passes it directly to the query execution controller without additional validatio…
Check whether budibase is used in your infrastructure
EchelonGraph scans your cloud and SBOMs to map every package to your actual deployments. See blast radius for budibase CVEs against the assets you own.
Start Free Scan →