CVE-2026-48146

Budibase is an open-source low-code platform. Prior to 3.39.0, the OAuth2 token fetch function in packages/server/src/sdk/workspace/oauth2/utils.ts uses raw fetchconfig.url with no SSRF protection. The safe wrapper fetchWithBlacklist exists in the same codebase and is used in every other outbound...

CVE-2026-48146

Budibase is an open-source low-code platform. Prior to 3.39.0, the OAuth2 token fetch function in packages/server/src/sdk/workspace/oauth2/utils.ts uses raw fetchconfig.url with no SSRF protection. The safe wrapper fetchWithBlacklist exists in the same codebase and is used in every other outbound...

EUVD-2026-32605

Budibase is an open-source low-code platform. Prior to 3.35.3, the VectorDB configuration endpoint in Budibase accepts a host parameter that undergoes no validation against internal IP ranges, reserved hostnames, or URL schemes. Any authenticated user with builder-level access can supply an...

EUVD-2026-32587

Budibase is an open-source low-code platform. Prior to 3.39.0, fetchToken in the OAuth2 SDK makes a POST to a builder-supplied URL with plain node-fetch, skipping the blacklist.isBlacklisted check that every other outbound fetch path in the codebase uses. The Joi schema for the OAuth2 URL has no...

Microsoft Power Apps 安全漏洞

Microsoft Power Apps is a low-code development platform provided by Microsoft Corporation in the United States. It aims to help users easily build custom enterprise-level applications. There are security vulnerabilities in Microsoft Power Apps. Attackers can exploit these vulnerabilities to bypas...

Budibase 安全漏洞

Budibase is an open-source low-code platform developed by Budibase in the UK. It allows for the creation of internal applications, workflows, and management panels within minutes. Versions of Budibase prior to 3.33.4 contained a security vulnerability. This vulnerability stemmed from the SSRF...

JeecgBoot 安全漏洞

JeecgBoot is a Java low-code platform developed by Jeecg Corporation, designed for enterprise web applications. Versions of JeecgBoot from 3.0.0 to 3.5.3 have security vulnerabilities. These vulnerabilities stem from lax character filtering, which could allow attackers to execute arbitrary code o...

EUVD-2026-10358

Budibase is a low code platform for creating internal tools, workflows, and admin panels. In 3.31.4 and earlier, the Budibase server's authorized middleware that protects every server-side API endpoint can be completely bypassed by appending a webhook path pattern to the query string of any...

JFlow 代码问题漏洞

JFlow is a low-code BPM development platform open-sourced by Jinan Chicheng opencc in China. Versions of JFlow dated 20260129 and earlier contained code vulnerabilities. These vulnerabilities stemmed from incorrect handling of the File parameter in the function ImpDone within the Workflow Engine...

Instant Developer Foundation 安全漏洞

Instant Developer Foundation is a low-code application development platform from the Italian company Instant Developer. A security vulnerability exists in Instant Developer Foundation versions prior to 25.0.9600 that stems from not properly cleaning up user-controlled inputs and could lead to cod...

ILLA Builder 安全漏洞

ILLA Builder is a low-code platform open-sourced by ILLA Cloud. A security vulnerability exists in ILLA Builder versions prior to v4.8.5 that stems from the API allowing arbitrary requests to be sent, which could lead to a server-side request forgery attack...

xckk 安全漏洞

xckk small dishes low-code development platform is a low-code development platform open source by China Cloud Network Software bestfeng. A security vulnerability exists in xckk v9.6, which stems from the orderBy parameter in address/list is not securely filtered, which may lead to SQL injection...

xckk 安全漏洞

xckk small dishes low-code development platform is a low-code development platform open source by China Cloud Network Software bestfeng. A security vulnerability exists in xckk v9.6, which stems from the orderBy parameter in user/list is not securely filtered, which may lead to SQL injection...

Valtimo 安全漏洞

Valtimo is a low-code platform for business process automation open-sourced by Valtimo in the Netherlands. A security vulnerability exists in Valtimo versions prior to 12.16.0.RELEASE and 13.1.2.RELEASE, which stems from the possibility that an administrator may access sensitive data or resources...

Microsoft Power Automate 信息泄露漏洞

Microsoft Power Automate is a low-code automation platform from Microsoft Corporation USA that allows users to create automated workflows that connect and integrate with various applications and services. An information disclosure vulnerability exists in Microsoft Power Automate that stems from t...

HCL Leap 安全漏洞

HCL Leap is a low-code development platform from HCL India. A security vulnerability exists in HCL Leap, which stems from an inadequate default configuration that could lead to anonymous access to directory information...

HCL Leap 安全漏洞

HCL Leap is a low-code development platform from HCL India. HCL Leap has a security vulnerability that stems from the lack of a no cache header, which could lead to caching of sensitive data...

HCL Leap 安全漏洞

HCL Leap is a low-code development platform from HCL India. HCL Leap has a security vulnerability that stems from an inadequate cleanup policy that could lead to client-side script injection...

HCL Leap 安全漏洞

HCL Leap is a low-code development platform from HCL India. A security vulnerability exists in HCL Leap, which stems from the lack of a no cache header, which could lead to user directory information being cached...

HCL Leap 安全漏洞

HCL Leap is a low-code development platform from HCL India. HCL Leap has a security vulnerability that stems from an inadequate default configuration that allows anonymous access to directory information...