3 matches found
@budibase/backend-core (>=3.0.0 <=3.2.26), @budibase/bbui (>=3.0.0 <=3.2.26) +7 more potentially affected by CVE-2026-35214 via @budibase/types (>=3.0.0 <=3.2.7)
@budibase/types NPM version =3.0.0, =3.0.0, =3.0.0, =3.0.0, =3.0.0, =3.0.0, =3.0.0, =3.0.0, =3.0.0, =3.0.0, =3.2.26 Source cves: CVE-2026-35214 Source advisory: SNYK:JS-BUDIBASETYPES-15917494...
@budibase/backend-core (>=3.0.0 <=3.2.26), @budibase/bbui (>=3.0.0 <=3.2.26) +6 more potentially affected by CVE-2026-25044 via @budibase/shared-core (>=3.0.0 <=3.2.7)
@budibase/shared-core NPM version =3.0.0, =3.0.0, =3.0.0, =3.0.0, =3.0.0, =3.0.0, =3.0.0, =3.0.0, =3.0.0, =3.2.26 Source cves: CVE-2026-25044 Source advisory: SNYK:JS-BUDIBASESHAREDCORE-15917501...
Command Injection
Overview @budibase/shared-core is a Shared data utils Affected versions of this package are vulnerable to Command Injection via the bash automation step, which executes user-supplied input using execSync without proper sanitization or validation. An attacker can execute arbitrary system commands ...