anonhaven
Ad

CVE-2026-25044

HIGH CVSS 4.0: 8.7 EPSS 0.07%
Updated Apr 07, 2026
Budibase
Parameter Value
CVSS 8.7 (HIGH)
Fixed In 3.33.4
Type CWE-78 (OS Command Injection)
Vendor Budibase
Public PoC No

Budibase is an open-source low-code platform. Prior to version 3.33.4, the bash automation step executes user-provided commands using execSync without proper sanitization or validation. User input is processed through processStringSync which allows template interpolation, potentially allowing arbitrary command execution.

This issue has been patched in version 3.33.4.

Attack Parameters

Attack Vector
Network
Can be exploited remotely
Attack Complexity
Low
Easy to exploit
Attack Requirements
None
No additional conditions
Privileges Required
Low
Basic privileges needed
User Interaction
None
No user interaction needed

Impact Assessment

Confidentiality
High
Complete data leak
Integrity
High
Complete data modification
Availability
High
Complete denial of service

CVSS Vector v4.0

Weakness Type (CWE)

CWE-78 OS Command Injection

References 2

https://github.com/Budibase/budibase/releases/tag/3.33.2
security-advisories@github.com
https://github.com/Budibase/budibase/security/advisories/GHSA-gjw9-34gf-rp6m
security-advisories@github.com
Share Post Share Share Share

Related Vulnerabilities

CVE-2026-35216

Budibase

9.0

CVE-2026-35214

Budibase

8.7

CVE-2026-31818

Budibase

9.6

CVE-2026-25043

Budibase

5.3

CVE-2026-31816

Budibase

9.1