CVE-2026-35216
unknown
CVSS v3
—
CVSS v2
—
VIR risk
—
Description
Budibase: Unauthenticated Remote Code Execution via Webhook Trigger and Bash Automation Step
Predictions
Exploit likelihood
30%
Patch ETA
—
Heuristic predictions, AS-IS, for prioritization only.
Mitigations
No vendor mitigations ingested yet for this CVE. The mitigation-content worker queues fetches as references arrive — check back in a few minutes, or see the references list below.
Package impact
| Ecosystem | Package | Vulnerable | Fixed |
|---|---|---|---|
| npm | @budibase/server | <3.33.4 | 3.33.4 |
References
- https://github.com/Budibase/budibase/security/advisories/GHSA-fcm4-4pj2-m5hf
- https://nvd.nist.gov/vuln/detail/CVE-2026-35216
- https://github.com/Budibase/budibase/pull/18238
- https://github.com/Budibase/budibase/commit/f0c731b409a96e401445a6a6030d2994ff4ac256
- https://github.com/Budibase/budibase
- https://github.com/Budibase/budibase/releases/tag/3.33.4
Verify integrity in audit chain (admin only). AS-IS.