pkg:npm/@budibase/server

8 total CVEsCRITICAL1HIGH5MEDIUM1

✅ Check your installed version

All known vulnerabilities

  • CRITICAL9.0CVE-2026-35216Budibase: Unauthenticated Remote Code Execution via Webhook Trigger and Bash Automation Step
    from 0, < 3.33.4
  • HIGH8.8CVE-2026-45717Budibase: `PUT /api/datasources/:datasourceId` is protected only by `TABLE/READ` permission instead of builder access, allowing any authenticated app user to overwrite datasource connection parameters including host, port, and URL
    from 0, < 3.38.1
  • HIGH8.8CVE-2026-25044Budibase: Command Injection in Bash Automation Step
    from 0, < 3.33.4
  • HIGH8.7CVE-2026-35214Budibase: Path traversal in plugin file upload enables arbitrary directory deletion and file write
    from 0, < 3.33.4
  • HIGH7.7CVE-2026-45715Budibase: SSRF Bypass via HTTP Redirect in REST Datasource Integration
    from 0, < 3.38.1
  • HIGH7.7CVE-2026-45548Budibase: SSRF in AI Extract File Automation Step via Missing IP Blacklist Validation
    from 0, < 3.34.8
  • MEDIUM6.5CVE-2026-45719Budibase: CouchDB Reduce Injection via Unsanitized Calculation Parameter in V1 Views API
    from 0, < 3.38.1
  • CVE-2026-25041@budibase/server: Command Injection in PostgreSQL Dump Command
    from 0, < 3.23.32