Budibase’s Builder command palette renders entity names with the Svelte {@html} directive without sanitization, creating a stored cross‑site scripting flaw. The flaw enables an authenticated Builder‑privileged user to create a table, view, query, or automation whose name contains malicious HTML. When any Builder‑role user opens the palette, the payload executes in the browser, allowing the attacker to read or steal the session cookie and ultimately perform a full account takeover. The weakness is a stored XSS (CWE‑79).

Any Budibase installation running a version prior to 3.32.5 is affected. The issue requires an authenticated user with Builder access to create an entity whose name contains the harmful payload. Once established, all users with Builder privileges in the same workspace who open the command palette can be impacted. The bug does not affect unauthenticated users or other roles outside the workspace. All Budibase deployments using the default open‑source build are potentially vulnerable until patched.

The CVSS score is 8.7, indicating high severity. No EPSS score is provided, and the vulnerability is not listed in the CISA KEV catalog. Exploitation requires an attacker to obtain Builder privileges, inject a malicious name, and wait for other Builder‑role users to open the palette. Because the trigger is local to the client’s browser, any user who accesses the command palette after the malicious entity is created is vulnerable. Internal threat actors or compromised credentials pose the highest risk, while external attackers would need to first compromise a Builder account to exploit the flaw.