Description
Budibase is an open-source low-code platform. Prior to version 3.32.5, Budibase's Builder Command Palette renders entity names (tables, views, queries, automations) using Svelte's {@html} directive without any sanitization. An authenticated user with Builder access can create a table, automation, view, or query whose name contains an HTML payload (e.g. <img src=x onerror=alert(document.domain)>). When any Builder-role user in the same workspace opens the Command Palette (Ctrl+K), the payload executes in their browser, stealing their session cookie and enabling full account takeover. This issue has been patched in version 3.32.5.
Published: 2026-04-03
Score: 8.7 High
EPSS: < 1% Very Low
KEV: No
Impact: Account takeover via stored XSS
Action: Immediate Patch
AI Analysis

Impact

Budibase renders entity names—such as tables, views, queries, and automations—directly into the Builder Command Palette using Svelte's {@html} directive without sanitization. If a malicious user embeds HTML or JavaScript in an entity's name, the code executes client‑side whenever any Builder‑role user opens the palette, allowing theft of session cookies and full account takeover. This flaw corresponds to CWE‑79, a stored cross‑site scripting vulnerability.

Affected Systems

Budibase is the affected product. All installations running a version earlier than 3.32.5 are vulnerable, as the patch was introduced in 3.32.5 and later releases. Any workspace hostable entity whose name contains user‑controlled content may trigger the flaw.

Risk and Exploitability

The recorded CVSS score is 8.7, indicating high severity. However, the EPSS score is below 1%, suggesting a low probability of exploitation in the wild, and the flaw is not listed in CISA's Known Exploited Vulnerabilities catalog. Attackers must be authenticated with Builder privileges and must create or modify an entity name in a shared workspace; any member with Builder access who then opens the palette will be affected. No additional disclosure or exploitation prerequisites are indicated beyond those in the description.

Generated by OpenCVE AI on April 8, 2026 at 22:29 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Budibase to version 3.32.5 or newer, which sanitizes entity names before rendering.
  • Prior to upgrading, scan existing workspaces and rename or delete any entities whose names contain suspicious HTML or JavaScript payloads.
  • Revoke Builder permissions for users whose role is not required until the update is complete, to limit potential exposure.
  • After the patch, verify that the Command Palette no longer executes code from entity names by creating a benign name and confirming no script execution occurs.

Generated by OpenCVE AI on April 8, 2026 at 22:29 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 08 Apr 2026 21:30:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:budibase:budibase:*:*:*:*:*:*:*:*

Fri, 03 Apr 2026 21:30:00 +0000

Type Values Removed Values Added
First Time appeared Budibase
Budibase budibase
Vendors & Products Budibase
Budibase budibase

Fri, 03 Apr 2026 20:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Fri, 03 Apr 2026 16:30:00 +0000

Type Values Removed Values Added
Description Budibase is an open-source low-code platform. Prior to version 3.32.5, Budibase's Builder Command Palette renders entity names (tables, views, queries, automations) using Svelte's {@html} directive without any sanitization. An authenticated user with Builder access can create a table, automation, view, or query whose name contains an HTML payload (e.g. <img src=x onerror=alert(document.domain)>). When any Builder-role user in the same workspace opens the Command Palette (Ctrl+K), the payload executes in their browser, stealing their session cookie and enabling full account takeover. This issue has been patched in version 3.32.5.
Title Budibase: Stored XSS via unsanitized entity names rendered with {@html} in Builder Command Palette
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 8.7, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N'}

Subscriptions

Budibase Budibase
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-04-03T20:05:06.999Z

Reserved: 2026-04-01T18:48:58.938Z

Link: CVE-2026-35218

cve-icon Vulnrichment

Updated: 2026-04-03T20:05:02.888Z

cve-icon NVD

Status : Analyzed

Published: 2026-04-03T16:16:41.977

Modified: 2026-04-08T21:18:49.067

Link: CVE-2026-35218

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-09T08:29:10Z

Weaknesses