Description
Budibase is an open-source low-code platform. Prior to 3.39.0, the Budibase Text component renders markdown by assigning marked.parse(markdown) straight to innerHTML with no sanitizer (packages/bbui/src/Markdown/MarkdownViewer.svelte:22). Any column a builder binds to a Text component in Markdown mode is a stored-XSS sink writable by every BASIC app user with WRITE on the underlying table. This vulnerability is fixed in 3.39.0.
Published: 2026-05-27
Score: 8.1 High
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Budibase's Text component renders markdown directly to innerHTML without sanitization, creating a stored cross‑site scripting sink. Any BASIC user with WRITE authorization on the underlying table can store malicious markdown that, when rendered in the back‑office, executes JavaScript within the context of an admin session. This flaw permits arbitrary code execution, compromising confidentiality, integrity, and availability of the application.

Affected Systems

Budibase, version 3.38.x and earlier, including the open‑source Low‑Code platform’s Text component used in markdown mode. All apps deploying this component are affected, particularly those exposing WRITE access to BASIC users.

Risk and Exploitability

The vulnerability receives a CVSS score of 8.1, indicating a high‑severity flaw. EPSS data is unavailable and it is not listed in CISA’s KEV catalog. Attackers only need local data‑write privilege to an affected table column; once malicious markdown is stored, the code is rendered during subsequent view rendering with full admin privileges. The exploit relies on the application’s lack of input sanitization, not on network exposure or external conditions, making the attack vector straightforward for a user with the required permissions.

Generated by OpenCVE AI on May 27, 2026 at 19:22 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Budibase to version 3.39.0 or later, which sanitizes markdown before rendering.
  • Restrict BASIC users from possessing WRITE permission on tables that feed into Text components in markdown mode, or set those columns to read‑only.
  • Remove or disable the markdown mode on the Text component until a patched version is available.

Generated by OpenCVE AI on May 27, 2026 at 19:22 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 27 May 2026 17:45:00 +0000

Type Values Removed Values Added
Description Budibase is an open-source low-code platform. Prior to 3.39.0, the Budibase Text component renders markdown by assigning marked.parse(markdown) straight to innerHTML with no sanitizer (packages/bbui/src/Markdown/MarkdownViewer.svelte:22). Any column a builder binds to a Text component in Markdown mode is a stored-XSS sink writable by every BASIC app user with WRITE on the underlying table. This vulnerability is fixed in 3.39.0.
Title Budibase: Stored XSS in Text component: BASIC users execute JS in admin session via MarkdownViewer innerHTML + CDN+srcdoc CSP bypass
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 8.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-05-27T16:59:31.077Z

Reserved: 2026-05-20T23:12:43.030Z

Link: CVE-2026-48149

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Deferred

Published: 2026-05-27T18:16:27.333

Modified: 2026-05-27T19:44:35.987

Link: CVE-2026-48149

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-27T19:30:35Z

Weaknesses