Vulnerabilities
Aggregated CVE / GHSA / KEV / OSV — filter by tag and category.
| ID | Title | |
|---|---|---|
| CVE-2026-54350 |
|
SQL Injection in @budibase/server (CVE-2026-54350)
SQL injection in @budibase/server (CVE-2026-54350). Confidential information can be exposed externally. Exploitable via `POST /api/v2/queries/`. Mitigation: upgrade to `3.39.12` or later.
|
| CVE-2026-54353 |
|
Vulnerability in @budibase/backend-core (CVE-2026-54353)
vulnerability in @budibase/backend-core (CVE-2026-54353). Confidential information can be exposed externally. Mitigation: upgrade to `3.39.9` or later.
|
| CVE-2026-54352 |
|
Path Traversal in @budibase/server (CVE-2026-54352)
path traversal in @budibase/server (CVE-2026-54352). Confidential information can be exposed externally. Exploitable via `POST /api/pwa/process-zip`. Mitigation: upgrade to `3.39.9` or later.
|
| CVE-2026-54351 |
|
Vulnerability in @budibase/server (CVE-2026-54351)
vulnerability in @budibase/server (CVE-2026-54351). Confidential information can be exposed externally. Exploitable via `POST /api/webhooks/trigger/`. Mitigation: upgrade to `3.39.9` or later.
|
| CVE-2026-50137 |
|
Vulnerability in @budibase/server (CVE-2026-50137)
vulnerability in @budibase/server (CVE-2026-50137). Confidential information can be exposed externally. Exploitable via `POST /api/attachments/`. Mitigation: upgrade to `3.39.0` or later.
|
| CVE-2026-50136 |
|
Vulnerability in @budibase/server (CVE-2026-50136)
vulnerability in @budibase/server (CVE-2026-50136). Risk of unauthorized operations or information disclosure. Exploitable via `POST /api/attachments/`. Mitigation: upgrade to `3.39.2` or later.
|
| CVE-2026-50132 |
|
Vulnerability in @budibase/server (CVE-2026-50132)
vulnerability in @budibase/server (CVE-2026-50132). Confidential information can be exposed externally. Exploitable via `GET /api/chat-links/`. Mitigation: upgrade to `3.39.0` or later.
|
| CVE-2026-42239 |
|
Vulnerability in @budibase/backend-core (CVE-2026-42239)
vulnerability in @budibase/backend-core (CVE-2026-42239). Confidential information can be exposed externally. Exploitable via ``document.cookie``. Mitigation: upgrade to `3.35.10` or later.
|