@budibase/server
13 known vulnerabilities · 1 critical · 1 high
Budibase: Command Injection in Bash Automation Step
Budibase: Unauthenticated Remote Code Execution via Webhook Trigger and Bash Automation Step
Budibase: `PUT /api/datasources/:datasourceId` is protected only by `TABLE/READ` permission instead of builder access, allowing any authenticated app user to overwrite datasource connection parameters including host, port, and URL
Budibase: SSRF Bypass via HTTP Redirect in REST Datasource Integration
Budibase: SSRF in AI Extract File Automation Step via Missing IP Blacklist Validation
Budibase: CouchDB Reduce Injection via Unsanitized Calculation Parameter in V1 Views API
Budibase: Path traversal in plugin file upload enables arbitrary directory deletion and file write
Budibase: Basic app users can exfiltrate stored REST datasource auth by rewriting datasource base URL
Budibase: Workspace-scoped builder escalates to global admin via /api/public/v1/roles/assign
Budibase: Unvalidated VectorDB Host Parameter Enables SSRF
Budibase: SSRF via OAuth2 Config Validation — Missing fetchWithBlacklist Protection
Budibase: Webhook schema endpoint authorization bypass allows unauthenticated mutation of webhook and automation schema