Package impact

npm / @budibase/server

CVE	Severity	CVSS	Risk	Published	Description
CVE-2026-45717	high	8.8	8.8	8d ago	Budibase: `PUT /api/datasources/:datasourceId` is protected only by `TABLE/READ` permission instead of builder access, allowing any authenticated app user to overwrite datasource connection parameter…
CVE-2026-45548	high	7.7	7.7	8d ago	Budibase: SSRF in AI Extract File Automation Step via Missing IP Blacklist Validation
CVE-2026-45715	high	7.7	7.7	8d ago	Budibase is an open-source low-code platform. Prior to 3.38.1, the REST datasource integration (packages/server/src/integrations/rest.ts) follows HTTP redirects without re-checking the IP blacklist, …
CVE-2026-45719	medium	6.5	6.5	8d ago	Budibase: CouchDB Reduce Injection via Unsanitized Calculation Parameter in V1 Views API
CVE-2026-35216	unknown	—	—	2mo ago	Budibase: Unauthenticated Remote Code Execution via Webhook Trigger and Bash Automation Step
CVE-2026-35214	unknown	—	—	2mo ago	Budibase: Path traversal in plugin file upload enables arbitrary directory deletion and file write
CVE-2026-25044	unknown	—	—	2mo ago	Budibase: Command Injection in Bash Automation Step
CVE-2026-25041	unknown	—	—	3mo ago	@budibase/server: Command Injection in PostgreSQL Dump Command