14 Total advisories
14 Vulnerabilities
0 Malware
Vulnerabilities
CRITICAL 9.0
CVE-2026-48150
Budibase: Workspace-scoped builder escalates to global admin via /api/public/v1/roles/assign
UNKNOWN
CVE-2026-48148
Budibase: Unvalidated VectorDB Host Parameter Enables SSRF
HIGH 7.5
CVE-2026-48151
Budibase: Webhook schema endpoint authorization bypass allows unauthenticated mutation of webhook and automation schema
HIGH 8.1
CVE-2026-48152
Budibase: Basic app users can exfiltrate stored REST datasource auth by rewriting datasource base URL
HIGH 7.7
CVE-2026-48146
Budibase: SSRF via OAuth2 Config Validation — Missing fetchWithBlacklist Protection
HIGH 7.7
CVE-2026-45548
Budibase: SSRF in AI Extract File Automation Step via Missing IP Blacklist Validation
HIGH 8.8
CVE-2026-45717
Budibase: `PUT /api/datasources/:datasourceId` is protected only by `TABLE/READ` permission instead of builder access, allowing any authenticated app user to overwrite datasource connection parameters including host, port, and URL
MEDIUM 6.5
CVE-2026-45719
Budibase: CouchDB Reduce Injection via Unsanitized Calculation Parameter in V1 Views API
HIGH 7.7
CVE-2026-45715
Budibase: SSRF Bypass via HTTP Redirect in REST Datasource Integration
HIGH 8.8
CVE-2026-25044
Budibase: Command Injection in Bash Automation Step
CRITICAL 9.0
CVE-2026-35216
Budibase: Unauthenticated Remote Code Execution via Webhook Trigger and Bash Automation Step
HIGH 8.7
CVE-2026-35214
Budibase: Path traversal in plugin file upload enables arbitrary directory deletion and file write
UNKNOWN
CVE-2026-25041
@budibase/server: Command Injection in PostgreSQL Dump Command
CRITICAL 9.8
GHSA-4g2x-vq5p-5vj6
Budibase affected by VM2 Constructor Escape Vulnerability
Ready to move
Start Securing
Free, no credit card | First findings in minutes