Package impact
npm / @budibase/backend-core
| CVE | Severity | CVSS | Risk | Flags | OS | Vendor | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2026-41428 | critical | 9.1 | 9.1 | 1mo ago | Budibase: Authentication Bypass via Unanchored Regex in Public Endpoint Matcher — Unauthenticated Access to Protected Endpoints | |||
| CVE-2026-42239 | high | 8.1 | 8.1 | 22d ago | Budibase auth session cookies are set with httpOnly:false — any XSS can lead to full account takeover | |||
| CVE-2026-46424 | medium | 4.2 | 4.2 | 3d ago | Budibase is an open-source low-code platform. Prior to 3.38.2, the public API role unassignment endpoint (POST /api/public/v1/roles/unassign) updates user documents in CouchDB but does not invalidate… | |||
| CVE-2026-31818 | unknown | — | — | 2mo ago | Budibase: Server-Side Request Forgery via REST Connector with Empty Default Blacklist |