8.7
CVE-2026-35218
- EPSS 0.33%
- Veröffentlicht 03.04.2026 15:47:45
- Zuletzt bearbeitet 08.04.2026 21:18:49
- Quelle security-advisories@github.com
- CVE-Watchlists
- Unerledigt
LoginBudibase: Stored XSS via unsanitized entity names rendered with {@html} in Builder Command Palette
Budibase is an open-source low-code platform. Prior to version 3.32.5, Budibase's Builder Command Palette renders entity names (tables, views, queries, automations) using Svelte's {@html} directive without any sanitization. An authenticated user with Builder access can create a table, automation, view, or query whose name contains an HTML payload (e.g. <img src=x onerror=alert(document.domain)>). When any Builder-role user in the same workspace opens the Command Palette (Ctrl+K), the payload executes in their browser, stealing their session cookie and enabling full account takeover. This issue has been patched in version 3.32.5.| Typ | Quelle | Score | Percentile |
|---|---|---|---|
| EPSS | FIRST.org | 0.33% | 0.245 |
| Quelle | Base Score | Exploit Score | Impact Score | Vector String |
|---|---|---|---|---|
| security-advisories@github.com | 8.7 | 2.3 | 5.8 |
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N
|
CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.
https://github.com/Budibase/budibase/security/advisories/GHSA-gp5x-2v54-v2q5
https://github.com/Budibase/budibase/pull/18243
https://github.com/Budibase/budibase/commit/c9ccf0c19e5849f1bda96401aa33f97c99cd8cd6
https://github.com/Budibase/budibase/releases/tag/3.32.5