Known CVE vulnerabilities and GitHub Security Advisories affecting the npm package budibase, with affected version ranges, CVSS severity, EPSS exploit prediction, and CISA KEV status.
CVEs (6)
CVE-2026-27702 — CVSS 9.9 (critical): Budibase is a low code platform for creating internal tools, workflows, and admin panels. Prior to version 3.30.4, an unsafe `eval()`…
CVE-2026-33226 — CVSS 8.7 (high): Budibase is a low code platform for creating internal tools, workflows, and admin panels. In versions from 3.30.6 and prior, the REST…
CVE-2026-45061 — CVSS 7.7 (high): Budibase is an open-source low-code platform. Prior to 3.35.10, the Plugin URL upload endpoint (POST /api/plugin) validates the submitted…
CVE-2026-46426 — CVSS 7.6 (high): Budibase is an open-source low-code platform. Prior to 3.38.2, the file upload endpoint POST /api/attachments/process does not enforce…
CVE-2026-45718 — CVSS 5.4 (medium): Budibase is an open-source low-code platform. Prior to 3.38.1, the row action trigger endpoint (POST /api/tables/:sourceId/actions/:actionId…
CVE-2026-48128: Budibase is an open-source low-code platform. Prior to 3.39.0, the executeQuery automation step in Budibase accepts a queryId from…