Package impact
NPM / @budibase/server
| CVE | Severity | CVSS | Risk | Flags | OS | Vendor | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2026-45717 | high | 8.8 | 8.8 | 1d ago | Budibase: `PUT /api/datasources/:datasourceId` is protected only by `TABLE/READ` permission instead of builder access, allowing any authenticated app user to overwrite datasource connection parameter… | |||
| CVE-2026-45548 | high | 7.7 | 7.7 | 1d ago | Budibase: SSRF in AI Extract File Automation Step via Missing IP Blacklist Validation | |||
| CVE-2026-45715 | high | 7.7 | 7.7 | 1d ago | Budibase is an open-source low-code platform. Prior to 3.38.1, the REST datasource integration (packages/server/src/integrations/rest.ts) follows HTTP redirects without re-checking the IP blacklist, … | |||
| CVE-2026-45719 | medium | 6.5 | 6.5 | 1d ago | Budibase: CouchDB Reduce Injection via Unsanitized Calculation Parameter in V1 Views API |