CVE-2026-35218 Budibase: Stored XSS via unsanitized entity names rendered with {@html} in Builder Command Palette

Budibase is an open-source low-code platform. Prior to version 3.32.5, Budibase's Builder Command Palette renders entity names tables, views, queries, automations using Svelte's @html directive without any sanitization. An authenticated user with Builder access can create a table, automation, vie...

CVE-2026-35218 Budibase: Stored XSS via unsanitized entity names rendered with {@html} in Builder Command Palette

Budibase is an open-source low-code platform. Prior to version 3.32.5, Budibase's Builder Command Palette renders entity names tables, views, queries, automations using Svelte's @html directive without any sanitization. An authenticated user with Builder access can create a table, automation, vie...

CVE-2026-35218

Budibase (open‑source low-code platform) prior to version 3.32.5 is affected by a Stored XSS in the Builder Command Palette. The vulnerability arises because entity names (tables, views, queries, automations) are rendered using Svelte’s {@html} without sanitization, allowing an authenticated Buil...

PT-2026-30193

Name of the Vulnerable Software and Affected Versions Budibase versions prior to 3.32.5 Description Budibase, an open-source low-code platform, had a critical issue in its Builder Command Palette. Before version 3.32.5, entity names tables, views, queries, automations were rendered using Svelte's...