CVE-2026-25044

Budibase is an open-source low-code platform. Prior to version 3.33.4, the bash automation step executes user-provided commands using execSync without proper sanitization or validation. User input is processed through processStringSync which allows template interpolation, potentially allowing...

GHSA-FCM4-4PJ2-M5HF Budibase: Unauthenticated Remote Code Execution via Webhook Trigger and Bash Automation Step

Summary An unauthenticated attacker can achieve Remote Code Execution RCE on the Budibase server by triggering an automation that contains a Bash step via the public webhook endpoint. No authentication is required to trigger the exploit. The process executes as root inside the container. Details...

Command Injection

Overview @budibase/shared-core is a Shared data utils Affected versions of this package are vulnerable to Command Injection via the bash automation step, which executes user-supplied input using execSync without proper sanitization or validation. An attacker can execute arbitrary system commands ...

Command Injection

Overview @budibase/server is a Budibase Web Server Affected versions of this package are vulnerable to Command Injection via the bash automation step, which executes user-supplied input using execSync without proper sanitization or validation. An attacker can execute arbitrary system commands by...

EUVD-2026-18754

Budibase: Command Injection in Bash Automation Step...

GHSA-GJW9-34GF-RP6M Budibase: Command Injection in Bash Automation Step

Location: packages/server/src/automations/steps/bash.ts Description The bash automation step executes user-provided commands using execSync without proper sanitization or validation. User input is processed through processStringSync which allows template interpolation, potentially allowing...

Budibase: Command Injection in Bash Automation Step

Location: packages/server/src/automations/steps/bash.ts Description The bash automation step executes user-provided commands using execSync without proper sanitization or validation. User input is processed through processStringSync which allows template interpolation, potentially allowing...

CVE-2026-25044

Budibase is an open-source low-code platform. Prior to version 3.33.4, the bash automation step executes user-provided commands using execSync without proper sanitization or validation. User input is processed through processStringSync which allows template interpolation, potentially allowing...

CVE-2026-25044

Budibase is an open-source low-code platform. Prior to version 3.33.4, the bash automation step executes user-provided commands using execSync without proper sanitization or validation. User input is processed through processStringSync which allows template interpolation, potentially allowing...

CVE-2026-25044 Budibase: Command Injection in Bash Automation Step

Budibase is an open-source low-code platform. Prior to version 3.33.4, the bash automation step executes user-provided commands using execSync without proper sanitization or validation. User input is processed through processStringSync which allows template interpolation, potentially allowing...

CVE-2026-25044 Budibase: Command Injection in Bash Automation Step

Budibase is an open-source low-code platform. Prior to version 3.33.4, the bash automation step executes user-provided commands using execSync without proper sanitization or validation. User input is processed through processStringSync which allows template interpolation, potentially allowing...

CVE-2026-25044

Budibase (open-source low-code platform) contains a command-injection vulnerability prior to version 3.33.4. The bash automation step executes user-provided commands via execSync without proper sanitization or validation. User input is processed through processStringSync, which allows template in...

PT-2026-30171

Name of the Vulnerable Software and Affected Versions Budibase versions prior to 3.33.4 Description Budibase, an open-source low-code platform, prior to version 3.33.4, allows arbitrary command execution through the bash automation step. This occurs because user-provided commands are executed usi...

4-ZERO-3 - 403/401 Bypass Methods + Bash Automation

Introduction 4-ZERO-3 Tool to bypass 403/401. This script contain all the possible techniques to do the same. NOTE : If you see multiple 200 Ok/bypasses as output, you must check the Content-Length. If the content-length is same for multiple 200 Ok/bypasses means false positive. Reason can be...