CVE-2026-46425 Budibase: SCIM endpoints lack role-based authorization, BASIC users CRUD tenant users

Budibase is an open-source low-code platform. Prior to 3.38.2, packages/worker/src/api/routes/global/scim.ts attaches only two middlewares to the SCIM router: requireSCIM checks the Enterprise feature flag and SCIM config and doInScimContext sets the SCIM request context. There is no role check...

CVE-2026-46427

Budibase is an open-source low-code platform. Prior to 3.38.3, removeSecrets at packages/server/src/sdk/workspace/datasources/datasources.ts masks only datasource config fields whose schema type is DatasourceFieldType.PASSWORD. The Snowflake integration types its privateKey field as...

CVE-2026-46427 Budibase: Snowflake private key returned unmasked from datasource API to BASIC users

Budibase is an open-source low-code platform. Prior to 3.38.3, removeSecrets at packages/server/src/sdk/workspace/datasources/datasources.ts masks only datasource config fields whose schema type is DatasourceFieldType.PASSWORD. The Snowflake integration types its privateKey field as...

CVE-2026-48149 Budibase: Stored XSS in Text component: BASIC users execute JS in admin session via MarkdownViewer innerHTML + CDN+srcdoc CSP bypass

Budibase is an open-source low-code platform. Prior to 3.39.0, the Budibase Text component renders markdown by assigning marked.parsemarkdown straight to innerHTML with no sanitizer packages/bbui/src/Markdown/MarkdownViewer.svelte:22. Any column a builder binds to a Text component in Markdown mod...

CVE-2026-48149

CVE-2026-48149 affects Budibase prior to version 3.39.0, where the Budibase Text component in Markdown mode rendered markdown by assigning marked.parse(markdown) directly to innerHTML without sanitization (MarkdownViewer.svelte:22). This creates a stored-XSS sink in any column bound to a Text com...

CVE-2025-11957

Improper authorization in the temporary access workflow of Devolutions Server 2025.2.12.0 and earlier allows an authenticated basic user to self-approve or approve the temporary access requests of other users and gain unauthorized access to vaults and entries via crafted API requests...

EUVD-2025-27210

Malicious code in bioql PyPI...

CVE-2025-42915

Fiori app Manage Payment Blocks does not perform the necessary authorization checks, allowing an attacker with basic user privileges to abuse functionalities that should be restricted to specific user groups.This issue could impact both the confidentiality and integrity of the application without...

CVE-2025-42915

Fiori app Manage Payment Blocks does not perform the necessary authorization checks, allowing an attacker with basic user privileges to abuse functionalities that should be restricted to specific user groups.This issue could impact both the confidentiality and integrity of the application without...

PT-2025-36548

Name of the Vulnerable Software and Affected Versions: Fiori app Manage Payment Blocks affected versions not specified Description: The Fiori app Manage Payment Blocks does not perform the necessary authorization checks. This allows an attacker with basic user privileges to abuse functionalities...

PT-2023-14622 · Archibus · Archibus Web Central

Name of the Vulnerable Software and Affected Versions: Archibus Web Central version 2022.03.01.107 Description: An issue was discovered in the application where a service allows a basic user to cancel or delete a booking created by someone else, even if the basic user is not a member of the...

PT-2023-14625 · Archibus · Archibus Web Central

Name of the Vulnerable Software and Affected Versions: Archibus Web Central version 2022.03.01.107 Description: An issue was discovered in the application where a service exposed allows a basic user to access the profile information of all connected users. Recommendations: For Archibus Web Centra...

ARCHIBUS Web Central 安全漏洞

ARCHIBUS Web Central is a web-based web management center for ARCHIBUS that organizes facility and infrastructure management tasks in an intuitive web browser interface. All infrastructure data is stored in a centralized repository so that authorized users from anywhere in the world can enter, ed...

PT-2023-14624 · Archibus · Archibus Web Central

Name of the Vulnerable Software and Affected Versions: Archibus Web Central version 2022.03.01.107 Description: An issue was discovered in the application where a service accepts user-controlled parameters to act on the data returned to the user. This allows a basic user to access data unrelated ...