{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-35218", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-04-01T18:48:58.938Z", "datePublished": "2026-04-03T15:47:45.469Z", "dateUpdated": "2026-04-03T20:05:06.999Z"}, "containers": {"cna": {"title": "Budibase: Stored XSS via unsanitized entity names rendered with {@html} in Builder Command Palette", "problemTypes": [{"descriptions": [{"cweId": "CWE-79", "lang": "en", "description": "CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 8.7, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N", "version": "3.1"}}], "references": [{"name": "https://github.com/Budibase/budibase/security/advisories/GHSA-gp5x-2v54-v2q5", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/Budibase/budibase/security/advisories/GHSA-gp5x-2v54-v2q5"}, {"name": "https://github.com/Budibase/budibase/pull/18243", "tags": ["x_refsource_MISC"], "url": "https://github.com/Budibase/budibase/pull/18243"}, {"name": "https://github.com/Budibase/budibase/commit/c9ccf0c19e5849f1bda96401aa33f97c99cd8cd6", "tags": ["x_refsource_MISC"], "url": "https://github.com/Budibase/budibase/commit/c9ccf0c19e5849f1bda96401aa33f97c99cd8cd6"}, {"name": "https://github.com/Budibase/budibase/releases/tag/3.32.5", "tags": ["x_refsource_MISC"], "url": "https://github.com/Budibase/budibase/releases/tag/3.32.5"}], "affected": [{"vendor": "Budibase", "product": "budibase", "versions": [{"version": "< 3.32.5", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-04-03T15:47:45.469Z"}, "descriptions": [{"lang": "en", "value": "Budibase is an open-source low-code platform. Prior to version 3.32.5, Budibase's Builder Command Palette renders entity names (tables, views, queries, automations) using Svelte's {@html} directive without any sanitization. An authenticated user with Builder access can create a table, automation, view, or query whose name contains an HTML payload (e.g. <img src=x onerror=alert(document.domain)>). When any Builder-role user in the same workspace opens the Command Palette (Ctrl+K), the payload executes in their browser, stealing their session cookie and enabling full account takeover. This issue has been patched in version 3.32.5."}], "source": {"advisory": "GHSA-gp5x-2v54-v2q5", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-04-03T20:04:56.978681Z", "id": "CVE-2026-35218", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-03T20:05:06.999Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-35218", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-04-03T20:04:56.978681Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-03T20:05:02.888Z"}}], "cna": {"title": "Budibase: Stored XSS via unsanitized entity names rendered with {@html} in Builder Command Palette", "source": {"advisory": "GHSA-gp5x-2v54-v2q5", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "CHANGED", "version": "3.1", "baseScore": 8.7, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N", "integrityImpact": "HIGH", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}}], "affected": [{"vendor": "Budibase", "product": "budibase", "versions": [{"status": "affected", "version": "< 3.32.5"}]}], "references": [{"url": "https://github.com/Budibase/budibase/security/advisories/GHSA-gp5x-2v54-v2q5", "name": "https://github.com/Budibase/budibase/security/advisories/GHSA-gp5x-2v54-v2q5", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/Budibase/budibase/pull/18243", "name": "https://github.com/Budibase/budibase/pull/18243", "tags": ["x_refsource_MISC"]}, {"url": "https://github.com/Budibase/budibase/commit/c9ccf0c19e5849f1bda96401aa33f97c99cd8cd6", "name": "https://github.com/Budibase/budibase/commit/c9ccf0c19e5849f1bda96401aa33f97c99cd8cd6", "tags": ["x_refsource_MISC"]}, {"url": "https://github.com/Budibase/budibase/releases/tag/3.32.5", "name": "https://github.com/Budibase/budibase/releases/tag/3.32.5", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "Budibase is an open-source low-code platform. Prior to version 3.32.5, Budibase's Builder Command Palette renders entity names (tables, views, queries, automations) using Svelte's {@html} directive without any sanitization. An authenticated user with Builder access can create a table, automation, view, or query whose name contains an HTML payload (e.g. <img src=x onerror=alert(document.domain)>). When any Builder-role user in the same workspace opens the Command Palette (Ctrl+K), the payload executes in their browser, stealing their session cookie and enabling full account takeover. This issue has been patched in version 3.32.5."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-79", "description": "CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-04-03T15:47:45.469Z"}}}, "cveMetadata": {"cveId": "CVE-2026-35218", "state": "PUBLISHED", "dateUpdated": "2026-04-03T20:05:06.999Z", "dateReserved": "2026-04-01T18:48:58.938Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-04-03T15:47:45.469Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:budibase:budibase:*:*:*:*:*:*:*:*", "matchCriteriaId": "500AAF3C-F561-4FCA-BC90-A6E771514C5D", "versionEndExcluding": "3.32.5", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Budibase is an open-source low-code platform. Prior to version 3.32.5, Budibase's Builder Command Palette renders entity names (tables, views, queries, automations) using Svelte's {@html} directive without any sanitization. An authenticated user with Builder access can create a table, automation, view, or query whose name contains an HTML payload (e.g. <img src=x onerror=alert(document.domain)>). When any Builder-role user in the same workspace opens the Command Palette (Ctrl+K), the payload executes in their browser, stealing their session cookie and enabling full account takeover. This issue has been patched in version 3.32.5."}], "id": "CVE-2026-35218", "lastModified": "2026-04-08T21:18:49.067", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 8.7, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N", "version": "3.1"}, "exploitabilityScore": 2.3, "impactScore": 5.8, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-04-03T16:16:41.977", "references": [{"source": "security-advisories@github.com", "tags": ["Patch"], "url": "https://github.com/Budibase/budibase/commit/c9ccf0c19e5849f1bda96401aa33f97c99cd8cd6"}, {"source": "security-advisories@github.com", "tags": ["Issue Tracking", "Patch"], "url": "https://github.com/Budibase/budibase/pull/18243"}, {"source": "security-advisories@github.com", "tags": ["Product", "Release Notes"], "url": "https://github.com/Budibase/budibase/releases/tag/3.32.5"}, {"source": "security-advisories@github.com", "tags": ["Exploit", "Vendor Advisory"], "url": "https://github.com/Budibase/budibase/security/advisories/GHSA-gp5x-2v54-v2q5"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,3.32.5)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "budibase", "source": "cna", "vendor": "Budibase"}, "product": "budibase", "vendor": "budibase"}], "analysis": {"en": {"generated_at": "2026-04-08T22:29:50.098012+00:00", "value": {"mitigation_remediation": ["Upgrade Budibase to version 3.32.5 or newer, which sanitizes entity names before rendering.", "Prior to upgrading, scan existing workspaces and rename or delete any entities whose names contain suspicious HTML or JavaScript payloads.", "Revoke Builder permissions for users whose role is not required until the update is complete, to limit potential exposure.", "After the patch, verify that the Command Palette no longer executes code from entity names by creating a benign name and confirming no script execution occurs."], "summary": {"action": "Immediate Patch", "impact": "Account takeover via stored XSS"}, "threat_synthesis": {"affected_systems": "Budibase is the affected product. All installations running a version earlier than 3.32.5 are vulnerable, as the patch was introduced in 3.32.5 and later releases. Any workspace hostable entity whose name contains user\u2011controlled content may trigger the flaw.", "description_and_impact": "Budibase renders entity names\u2014such as tables, views, queries, and automations\u2014directly into the Builder Command Palette using Svelte's {@html} directive without sanitization. If a malicious user embeds HTML or JavaScript in an entity's name, the code executes client\u2011side whenever any Builder\u2011role user opens the palette, allowing theft of session cookies and full account takeover. This flaw corresponds to CWE\u201179, a stored cross\u2011site scripting vulnerability.", "risk_and_exploitability": "The recorded CVSS score is 8.7, indicating high severity. However, the EPSS score is below 1%, suggesting a low probability of exploitation in the wild, and the flaw is not listed in CISA's Known Exploited Vulnerabilities catalog. Attackers must be authenticated with Builder privileges and must create or modify an entity name in a shared workspace; any member with Builder access who then opens the palette will be affected. No additional disclosure or exploitation prerequisites are indicated beyond those in the description."}}}}, "created": "2026-04-03T21:12:58.060914+00:00", "updated": "2026-04-09T08:29:10.988664+00:00", "vendors": ["budibase", "budibase$PRODUCT$budibase"]}