@budibase/server (npm) — known CVEs & security advisories
Known CVE vulnerabilities and GitHub Security Advisories affecting the npm package @budibase/server, with affected version ranges, CVSS severity, EPSS exploit prediction, and CISA KEV status.
CVEs (20)
CVE-2026-54350 — CVSS 10.0 (critical): Budibase is an open-source low-code platform. Prior to 3.39.12, an unauthenticated visitor of any published Budibase app reads every…
CVE-2026-54352 — CVSS 9.6 (critical): Budibase is an open-source low-code platform. Prior to 3.39.9, `POST /api/pwa/process-zip` at packages/server/src/api/routes/static.ts:24…
CVE-2026-50137 — CVSS 9.4 (critical): Budibase is an open-source low-code platform. Prior to 3.39.0, an anonymous attacker who knows or can enumerate a workspace id (app_...)…
CVE-2026-48150 — CVSS 9.0 (critical): Budibase is an open-source low-code platform. Prior to 3.39.0, /api/public/v1/roles/assign is guarded by the builderOrAdmin middleware…
CVE-2026-35216 — CVSS 9.0 (critical): Budibase is an open-source low-code platform. Prior to version 3.33.4, an unauthenticated attacker can achieve Remote Code Execution (RCE)…
CVE-2026-45717 — CVSS 8.8 (high): Budibase is an open-source low-code platform. Prior to 3.38.1, Budibase exposes a REST API for datasource management. The route PUT…
CVE-2026-25044 — CVSS 8.8 (high): Budibase is an open-source low-code platform. Prior to version 3.33.4, the bash automation step executes user-provided commands using…
CVE-2026-35214 — CVSS 8.7 (high): Budibase is an open-source low-code platform. Prior to version 3.33.4, the plugin file upload endpoint (POST /api/plugin/upload) passes the…
CVE-2026-48153 — CVSS 8.5 (high): Budibase is an open-source low-code platform. Prior to 3.39.0, fetchToken in the OAuth2 SDK makes a POST to a builder-supplied URL with…
CVE-2026-54351 — CVSS 8.2 (high): Budibase is an open-source low-code platform. Prior to 3.39.9, the webhook trigger endpoint in Budibase is publicly accessible and passes…
CVE-2026-48152 — CVSS 8.1 (high): Budibase is an open-source low-code platform. Prior to 3.39.0, the single-datasource GET and PUT routes are guarded by generic TABLE READ…
CVE-2026-45715 — CVSS 7.7 (high): Budibase is an open-source low-code platform. Prior to 3.38.1, the REST datasource integration (packages/server/src/integrations/rest.ts)…
CVE-2026-48146 — CVSS 7.7 (high): Budibase is an open-source low-code platform. Prior to 3.39.0, the OAuth2 token fetch function in packages/server/src/sdk/workspace/oauth2/u…
CVE-2026-45548 — CVSS 7.7 (high): Budibase is an open-source low-code platform. Prior to 3.34.8, the processUrlFile function in packages/server/src/automations/steps/ai/extra…
CVE-2026-48151 — CVSS 7.5 (high): Budibase is an open-source low-code platform. Prior to 3.39.0, the webhook schema-building endpoint is registered under builderRoutes, but…
CVE-2026-50136 — CVSS 7.4 (high): Budibase is an open-source low-code platform. Prior to 3.39.3, the application server exposes an unauthenticated endpoint that generates S3…
CVE-2026-50132 — CVSS 7.3 (high): Budibase is an open-source low-code platform. Prior to 3.39.0, `GET /api/chat-links/:instance/:token/handoff` is a public endpoint (no auth…
CVE-2026-25041 — CVSS 7.2 (high): Budibase is a low code platform for creating internal tools, workflows, and admin panels. In 3.23.22 and earlier, the PostgreSQL…
CVE-2026-45719 — CVSS 6.5 (medium): Budibase is an open-source low-code platform. Prior to 3.38.1, the V1 Views API (POST /api/views) accepts a calculation parameter from the…
CVE-2026-48148: Budibase is an open-source low-code platform. Prior to 3.35.3, the VectorDB configuration endpoint in Budibase accepts a host parameter…