2582 matches found
CVE-2026-25044
Budibase is an open-source low-code platform. Prior to version 3.33.4, the bash automation step executes user-provided commands using execSync without proper sanitization or validation. User input is processed through processStringSync which allows template interpolation, potentially allowing...
CVE-2026-35216
Budibase is an open-source low-code platform. Prior to version 3.33.4, an unauthenticated attacker can achieve Remote Code Execution RCE on the Budibase server by triggering an automation that contains a Bash step via the public webhook endpoint. No authentication is required to trigger the...
Command Injection
Overview @budibase/shared-core is a Shared data utils Affected versions of this package are vulnerable to Command Injection via the public webhook endpoint. An attacker can execute arbitrary commands as the root user within the application container and exfiltrate sensitive environment secrets by...
GHSA-FCM4-4PJ2-M5HF Budibase: Unauthenticated Remote Code Execution via Webhook Trigger and Bash Automation Step
Summary An unauthenticated attacker can achieve Remote Code Execution RCE on the Budibase server by triggering an automation that contains a Bash step via the public webhook endpoint. No authentication is required to trigger the exploit. The process executes as root inside the container. Details...
Budibase: Unauthenticated Remote Code Execution via Webhook Trigger and Bash Automation Step
Summary An unauthenticated attacker can achieve Remote Code Execution RCE on the Budibase server by triggering an automation that contains a Bash step via the public webhook endpoint. No authentication is required to trigger the exploit. The process executes as root inside the container. Details...
Command Injection
Overview @budibase/types is a Budibase types Affected versions of this package are vulnerable to Command Injection via the public webhook endpoint. An attacker can execute arbitrary commands as the root user within the application container and exfiltrate sensitive environment secrets by sending...
Command Injection
Overview @budibase/server is a Budibase Web Server Affected versions of this package are vulnerable to Command Injection via the public webhook endpoint. An attacker can execute arbitrary commands as the root user within the application container and exfiltrate sensitive environment secrets by...
Command Injection
Overview @budibase/shared-core is a Shared data utils Affected versions of this package are vulnerable to Command Injection via the bash automation step, which executes user-supplied input using execSync without proper sanitization or validation. An attacker can execute arbitrary system commands ...
Command Injection
Overview @budibase/types is a Budibase types Affected versions of this package are vulnerable to Command Injection via the bash automation step, which executes user-supplied input using execSync without proper sanitization or validation. An attacker can execute arbitrary system commands by crafti...
Command Injection
Overview @budibase/server is a Budibase Web Server Affected versions of this package are vulnerable to Command Injection via the bash automation step, which executes user-supplied input using execSync without proper sanitization or validation. An attacker can execute arbitrary system commands by...
GHSA-GJW9-34GF-RP6M Budibase: Command Injection in Bash Automation Step
Location: packages/server/src/automations/steps/bash.ts Description The bash automation step executes user-provided commands using execSync without proper sanitization or validation. User input is processed through processStringSync which allows template interpolation, potentially allowing...
Budibase: Command Injection in Bash Automation Step
Location: packages/server/src/automations/steps/bash.ts Description The bash automation step executes user-provided commands using execSync without proper sanitization or validation. User input is processed through processStringSync which allows template interpolation, potentially allowing...
EUVD-2026-18754
Budibase: Command Injection in Bash Automation Step...
CVE-2026-35216
Budibase is an open-source low-code platform. Prior to version 3.33.4, an unauthenticated attacker can achieve Remote Code Execution RCE on the Budibase server by triggering an automation that contains a Bash step via the public webhook endpoint. No authentication is required to trigger the...
CVE-2026-25044
Budibase is an open-source low-code platform. Prior to version 3.33.4, the bash automation step executes user-provided commands using execSync without proper sanitization or validation. User input is processed through processStringSync which allows template interpolation, potentially allowing...
CVE-2026-35216
Budibase is an open-source low-code platform. Prior to version 3.33.4 , an unauthenticated attacker can achieve Remote Code Execution (RCE) on the Budibase server by triggering an automation that contains a ** Bash step** via the public webhook endpoint. The process runs as root inside the contai...
CVE-2026-35216 Budibase: Unauthenticated Remote Code Execution via Webhook Trigger and Bash Automation Step
Budibase is an open-source low-code platform. Prior to version 3.33.4, an unauthenticated attacker can achieve Remote Code Execution RCE on the Budibase server by triggering an automation that contains a Bash step via the public webhook endpoint. No authentication is required to trigger the...
CVE-2026-35216 Budibase: Unauthenticated Remote Code Execution via Webhook Trigger and Bash Automation Step
Budibase is an open-source low-code platform. Prior to version 3.33.4, an unauthenticated attacker can achieve Remote Code Execution RCE on the Budibase server by triggering an automation that contains a Bash step via the public webhook endpoint. No authentication is required to trigger the...
CVE-2026-35216
Budibase is an open-source low-code platform. Prior to version 3.33.4, an unauthenticated attacker can achieve Remote Code Execution RCE on the Budibase server by triggering an automation that contains a Bash step via the public webhook endpoint. No authentication is required to trigger the...
CVE-2026-25044
Budibase is an open-source low-code platform. Prior to version 3.33.4, the bash automation step executes user-provided commands using execSync without proper sanitization or validation. User input is processed through processStringSync which allows template interpolation, potentially allowing...