pkg:npm/@budibase/backend-core

4 total CVEsCRITICAL2HIGH1MEDIUM1

✅ Check your installed version

All known vulnerabilities

  • CRITICAL9.6CVE-2026-31818Budibase: Server-Side Request Forgery via REST Connector with Empty Default Blacklist
    from 0, < 3.33.4
  • CRITICAL9.1CVE-2026-41428Budibase: Authentication Bypass via Unanchored Regex in Public Endpoint Matcher — Unauthenticated Access to Protected Endpoints
    from 0, <= 3.35.3
  • HIGH8.1CVE-2026-42239Budibase auth session cookies are set with httpOnly:false — any XSS can lead to full account takeover
    from 0, < 3.35.10
  • MEDIUM4.2CVE-2026-46424Budibase: Missing Cache Invalidation on Public API Role Unassignment Allows Revoked Users to Retain Privileges for Up to 1 Hour
    from 0, < 3.38.2