Package impact
NPM / @budibase/backend-core
| CVE | Severity | CVSS | Risk | Flags | OS | Vendor | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2026-42239 | high | 8.1 | 8.1 | 22d ago | Budibase auth session cookies are set with httpOnly:false — any XSS can lead to full account takeover | |||
| CVE-2026-46424 | medium | 4.2 | 4.2 | 3d ago | Budibase is an open-source low-code platform. Prior to 3.38.2, the public API role unassignment endpoint (POST /api/public/v1/roles/unassign) updates user documents in CouchDB but does not invalidate… |