{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-25041", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-01-28T14:50:47.886Z", "datePublished": "2026-03-09T19:53:10.448Z", "dateUpdated": "2026-03-09T20:34:21.741Z"}, "containers": {"cna": {"title": "Budibase has a Command Injection in PostgreSQL Dump Command", "problemTypes": [{"descriptions": [{"cweId": "CWE-78", "lang": "en", "description": "CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')", "type": "CWE"}]}], "metrics": [{"cvssV4_0": {"attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "HIGH", "userInteraction": "NONE", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "vulnAvailabilityImpact": "HIGH", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "baseScore": 8.6, "baseSeverity": "HIGH", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N", "version": "4.0"}}], "references": [{"name": "https://github.com/Budibase/budibase/security/advisories/GHSA-726g-59wr-cj4c", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/Budibase/budibase/security/advisories/GHSA-726g-59wr-cj4c"}, {"name": "https://github.com/Budibase/budibase/commit/9fdbff32fb9e69650ba899a799e13f80d9b09e93", "tags": ["x_refsource_MISC"], "url": "https://github.com/Budibase/budibase/commit/9fdbff32fb9e69650ba899a799e13f80d9b09e93"}, {"name": "https://github.com/Budibase/budibase/blob/f34d545602a7c94427bae63312a5ee9bf2aa6c85/packages/server/src/integrations/postgres.ts#L529-L531", "tags": ["x_refsource_MISC"], "url": "https://github.com/Budibase/budibase/blob/f34d545602a7c94427bae63312a5ee9bf2aa6c85/packages/server/src/integrations/postgres.ts#L529-L531"}], "affected": [{"vendor": "Budibase", "product": "budibase", "versions": [{"version": "<= 3.23.22", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-09T19:53:10.448Z"}, "descriptions": [{"lang": "en", "value": "Budibase is a low code platform for creating internal tools, workflows, and admin panels. In 3.23.22 and earlier, the PostgreSQL integration constructs shell commands using user-controlled configuration values (database name, host, password, etc.) without proper sanitization. The password and other connection parameters are directly interpolated into a shell command. This affects packages/server/src/integrations/postgres.ts."}], "source": {"advisory": "GHSA-726g-59wr-cj4c", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-25041", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-03-09T20:31:29.973731Z"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-09T20:34:21.741Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-25041", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-03-09T20:31:29.973731Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-09T20:31:37.699Z"}}], "cna": {"title": "Budibase has a Command Injection in PostgreSQL Dump Command", "source": {"advisory": "GHSA-726g-59wr-cj4c", "discovery": "UNKNOWN"}, "metrics": [{"cvssV4_0": {"version": "4.0", "baseScore": 8.6, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N", "userInteraction": "NONE", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "HIGH", "subIntegrityImpact": "NONE", "vulnIntegrityImpact": "HIGH", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "HIGH", "subConfidentialityImpact": "NONE", "vulnConfidentialityImpact": "HIGH"}}], "affected": [{"vendor": "Budibase", "product": "budibase", "versions": [{"status": "affected", "version": "<= 3.23.22"}]}], "references": [{"url": "https://github.com/Budibase/budibase/security/advisories/GHSA-726g-59wr-cj4c", "name": "https://github.com/Budibase/budibase/security/advisories/GHSA-726g-59wr-cj4c", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/Budibase/budibase/commit/9fdbff32fb9e69650ba899a799e13f80d9b09e93", "name": "https://github.com/Budibase/budibase/commit/9fdbff32fb9e69650ba899a799e13f80d9b09e93", "tags": ["x_refsource_MISC"]}, {"url": "https://github.com/Budibase/budibase/blob/f34d545602a7c94427bae63312a5ee9bf2aa6c85/packages/server/src/integrations/postgres.ts#L529-L531", "name": "https://github.com/Budibase/budibase/blob/f34d545602a7c94427bae63312a5ee9bf2aa6c85/packages/server/src/integrations/postgres.ts#L529-L531", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "Budibase is a low code platform for creating internal tools, workflows, and admin panels. In 3.23.22 and earlier, the PostgreSQL integration constructs shell commands using user-controlled configuration values (database name, host, password, etc.) without proper sanitization. The password and other connection parameters are directly interpolated into a shell command. This affects packages/server/src/integrations/postgres.ts."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-78", "description": "CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-09T19:53:10.448Z"}}}, "cveMetadata": {"cveId": "CVE-2026-25041", "state": "PUBLISHED", "dateUpdated": "2026-03-09T20:34:21.741Z", "dateReserved": "2026-01-28T14:50:47.886Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-03-09T19:53:10.448Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:budibase:budibase:*:*:*:*:*:*:*:*", "matchCriteriaId": "12003F5A-AC57-4F27-9081-35A2D3E7ECA5", "versionEndIncluding": "3.23.22", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Budibase is a low code platform for creating internal tools, workflows, and admin panels. In 3.23.22 and earlier, the PostgreSQL integration constructs shell commands using user-controlled configuration values (database name, host, password, etc.) without proper sanitization. The password and other connection parameters are directly interpolated into a shell command. This affects packages/server/src/integrations/postgres.ts."}, {"lang": "es", "value": "Budibase es una plataforma de bajo c\u00f3digo para crear herramientas internas, flujos de trabajo y paneles de administraci\u00f3n. En 3.23.22 y anteriores, la integraci\u00f3n de PostgreSQL construye comandos de shell utilizando valores de configuraci\u00f3n controlados por el usuario (nombre de la base de datos, host, contrase\u00f1a, etc.) sin una sanitizaci\u00f3n adecuada. La contrase\u00f1a y otros par\u00e1metros de conexi\u00f3n se interpolan directamente en un comando de shell. Esto afecta a packages/server/src/integrations/postgres.ts."}], "id": "CVE-2026-25041", "lastModified": "2026-03-13T19:23:55.590", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.2, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "HIGH", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 1.2, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}], "cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "NETWORK", "availabilityRequirement": "NOT_DEFINED", "baseScore": 8.6, "baseSeverity": "HIGH", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "HIGH", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "HIGH", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-03-09T20:16:07.147", "references": [{"source": "security-advisories@github.com", "tags": ["Product"], "url": "https://github.com/Budibase/budibase/blob/f34d545602a7c94427bae63312a5ee9bf2aa6c85/packages/server/src/integrations/postgres.ts#L529-L531"}, {"source": "security-advisories@github.com", "tags": ["Patch"], "url": "https://github.com/Budibase/budibase/commit/9fdbff32fb9e69650ba899a799e13f80d9b09e93"}, {"source": "security-advisories@github.com", "tags": ["Exploit", "Vendor Advisory"], "url": "https://github.com/Budibase/budibase/security/advisories/GHSA-726g-59wr-cj4c"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-78"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,3.23.22]"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "budibase", "source": "cna", "vendor": "Budibase"}, "product": "budibase", "vendor": "budibase"}], "analysis": {"en": {"generated_at": "2026-04-16T10:13:18.623235+00:00", "value": {"mitigation_remediation": ["Upgrade Budibase to a version newer than 3.23.22, which contains the corrected PostgreSQL integration logic.", "If upgrading immediately is not possible, sanitize all configuration values before feeding them into shell commands \u2013 replace or escape special characters, or use parameterized database APIs that avoid shell invocation.", "Disable or remove the PostgreSQL dump feature until a patch is applied, or isolate the Budibase service in a restricted container so that any potential command injection is contained."], "summary": {"action": "Immediate Patch", "impact": "Command Injection leading to arbitrary shell execution"}, "threat_synthesis": {"affected_systems": "Budibase, the low\u2011code platform for internal tools and workflows. All releases up to and including 3.23.22 are affected; the flaw is located in packages/server/src/integrations/postgres.ts. Any deployment that uses PostgreSQL integration and accepts configuration values from users could be vulnerable.", "description_and_impact": "The vulnerability resides in the PostgreSQL integration of Budibase, where user\u2011controlled configuration values \u2013 such as database name, host, and password \u2013 are interpolated directly into a shell command without sanitization. This permits an attacker to inject malicious payloads, leading to arbitrary shell command execution on the host running the Budibase server. The potential impact includes full compromise of the affected system, data exfiltration, or disruption of services because the injected commands run with the privileges of the Budibase application process.", "risk_and_exploitability": "The CVSS score of 8.6 indicates a high\u2011severity weakness. The EPSS score is below 1\u202f%, suggesting low probability of exploitation at present, and the vulnerability is not listed in the CISA KEV catalog. Nevertheless, the attack vector is likely remote if an attacker can influence the configuration parameters \u2013 for example, through a user\u2011provided UI, API or environment variables \u2013 and can thereby execute arbitrary shell commands on the server. The absence of a public fix at the time of this report highlights the need for immediate remediation to prevent potential compromise."}}}}, "created": "2026-03-10T14:07:10.296662+00:00", "updated": "2026-04-16T10:15:26.114786+00:00", "vendors": ["budibase", "budibase$PRODUCT$budibase"]}