npm1 critical
@budibase/backend-core
5 known vulnerabilities · 1 critical · 0 high
GHSA-6vp2-6r7m-2jvx
Budibase: Missing Cache Invalidation on Public API Role Unassignment Allows Revoked Users to Retain Privileges for Up to 1 Hour
Published May 19, 2026
GHSA-8783-3wgf-jggf
Budibase: Authentication Bypass via Unanchored Regex in Public Endpoint Matcher — Unauthenticated Access to Protected Endpoints
Published Apr 16, 2026
GHSA-wxq7-x3qp-vcr8
Budibase: Unanchored Regex in `matchers.ts` Allows CSRF Bypass via Query String Injection in Budibase Worker
Published Jun 12, 2026
GHSA-4f9j-vr4p-642r
Budibase auth session cookies are set with httpOnly:false — any XSS can lead to full account takeover
Published Apr 24, 2026
CVE-2026-31818CRITICAL
Risk: 48/100
Budibase: Server-Side Request Forgery via REST Connector with Empty Default Blacklist
Published Apr 3, 2026
Check your entire dependency tree at onceRun dependency scan →