anonhaven
Ad

CVE-2026-35218

HIGH CVSS 3.1: 8.7 EPSS 0.03%
Updated Apr 07, 2026
Payload
Parameter Value
CVSS 8.7 (HIGH)
Fixed In 3.32.5
Type CWE-79 (Cross-Site Scripting (XSS))
Vendor Payload
Public PoC No

Budibase is an open-source low-code platform. Prior to version 3.32.5, Budibase's Builder Command Palette renders entity names (tables, views, queries, automations) using Svelte's {@html} directive without any sanitization. An authenticated user with Builder access can create a table, automation, view, or query whose name contains an HTML payload (e.g. <img src=x onerror=alert(document.domain)>).

When any Builder-role user in the same workspace opens the Command Palette (Ctrl+K), the payload executes in their browser, stealing their session cookie and enabling full account takeover. This issue has been patched in version 3.32.5.

Attack Parameters

Attack Vector
Network
Can be exploited remotely
Attack Complexity
Low
Easy to exploit
Privileges Required
Low
Basic privileges needed
User Interaction
Required
User action required

Impact Assessment

Confidentiality
High
Complete data leak
Integrity
High
Complete data modification
Availability
None
No disruption

CVSS Vector v3.1

Weakness Type (CWE)

CWE-79 Cross-Site Scripting (XSS)

References 4

https://github.com/Budibase/budibase/commit/c9ccf0c19e5849f1bda96401aa33f97c99c…
security-advisories@github.com
https://github.com/Budibase/budibase/pull/18243
security-advisories@github.com
https://github.com/Budibase/budibase/releases/tag/3.32.5
security-advisories@github.com
https://github.com/Budibase/budibase/security/advisories/GHSA-gp5x-2v54-v2q5
security-advisories@github.com
Share Post Share Share Share

Related Vulnerabilities

CVE-2026-40922

Payload

5.3

CVE-2026-35469

Payload

8.7

CVE-2026-40901

Payload

7.5

CVE-2024-8010

Payload

3.5

CVE-2025-40899

Payload

7.1