{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-35218", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-04-01T18:48:58.938Z", "datePublished": "2026-04-03T15:47:45.469Z", "dateUpdated": "2026-04-03T20:05:06.999Z"}, "containers": {"cna": {"title": "Budibase: Stored XSS via unsanitized entity names rendered with {@html} in Builder Command Palette", "problemTypes": [{"descriptions": [{"cweId": "CWE-79", "lang": "en", "description": "CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 8.7, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N", "version": "3.1"}}], "references": [{"name": "https://github.com/Budibase/budibase/security/advisories/GHSA-gp5x-2v54-v2q5", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/Budibase/budibase/security/advisories/GHSA-gp5x-2v54-v2q5"}, {"name": "https://github.com/Budibase/budibase/pull/18243", "tags": ["x_refsource_MISC"], "url": "https://github.com/Budibase/budibase/pull/18243"}, {"name": "https://github.com/Budibase/budibase/commit/c9ccf0c19e5849f1bda96401aa33f97c99cd8cd6", "tags": ["x_refsource_MISC"], "url": "https://github.com/Budibase/budibase/commit/c9ccf0c19e5849f1bda96401aa33f97c99cd8cd6"}, {"name": "https://github.com/Budibase/budibase/releases/tag/3.32.5", "tags": ["x_refsource_MISC"], "url": "https://github.com/Budibase/budibase/releases/tag/3.32.5"}], "affected": [{"vendor": "Budibase", "product": "budibase", "versions": [{"version": "< 3.32.5", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-04-03T15:47:45.469Z"}, "descriptions": [{"lang": "en", "value": "Budibase is an open-source low-code platform. Prior to version 3.32.5, Budibase's Builder Command Palette renders entity names (tables, views, queries, automations) using Svelte's {@html} directive without any sanitization. An authenticated user with Builder access can create a table, automation, view, or query whose name contains an HTML payload (e.g. <img src=x onerror=alert(document.domain)>). When any Builder-role user in the same workspace opens the Command Palette (Ctrl+K), the payload executes in their browser, stealing their session cookie and enabling full account takeover. This issue has been patched in version 3.32.5."}], "source": {"advisory": "GHSA-gp5x-2v54-v2q5", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-04-03T20:04:56.978681Z", "id": "CVE-2026-35218", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-03T20:05:06.999Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-35218", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-04-03T20:04:56.978681Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-03T20:05:02.888Z"}}], "cna": {"title": "Budibase: Stored XSS via unsanitized entity names rendered with {@html} in Builder Command Palette", "source": {"advisory": "GHSA-gp5x-2v54-v2q5", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "CHANGED", "version": "3.1", "baseScore": 8.7, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N", "integrityImpact": "HIGH", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}}], "affected": [{"vendor": "Budibase", "product": "budibase", "versions": [{"status": "affected", "version": "< 3.32.5"}]}], "references": [{"url": "https://github.com/Budibase/budibase/security/advisories/GHSA-gp5x-2v54-v2q5", "name": "https://github.com/Budibase/budibase/security/advisories/GHSA-gp5x-2v54-v2q5", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/Budibase/budibase/pull/18243", "name": "https://github.com/Budibase/budibase/pull/18243", "tags": ["x_refsource_MISC"]}, {"url": "https://github.com/Budibase/budibase/commit/c9ccf0c19e5849f1bda96401aa33f97c99cd8cd6", "name": "https://github.com/Budibase/budibase/commit/c9ccf0c19e5849f1bda96401aa33f97c99cd8cd6", "tags": ["x_refsource_MISC"]}, {"url": "https://github.com/Budibase/budibase/releases/tag/3.32.5", "name": "https://github.com/Budibase/budibase/releases/tag/3.32.5", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "Budibase is an open-source low-code platform. Prior to version 3.32.5, Budibase's Builder Command Palette renders entity names (tables, views, queries, automations) using Svelte's {@html} directive without any sanitization. An authenticated user with Builder access can create a table, automation, view, or query whose name contains an HTML payload (e.g. <img src=x onerror=alert(document.domain)>). When any Builder-role user in the same workspace opens the Command Palette (Ctrl+K), the payload executes in their browser, stealing their session cookie and enabling full account takeover. This issue has been patched in version 3.32.5."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-79", "description": "CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-04-03T15:47:45.469Z"}}}, "cveMetadata": {"cveId": "CVE-2026-35218", "state": "PUBLISHED", "dateUpdated": "2026-04-03T20:05:06.999Z", "dateReserved": "2026-04-01T18:48:58.938Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-04-03T15:47:45.469Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:budibase:budibase:*:*:*:*:*:*:*:*", "matchCriteriaId": "500AAF3C-F561-4FCA-BC90-A6E771514C5D", "versionEndExcluding": "3.32.5", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Budibase is an open-source low-code platform. Prior to version 3.32.5, Budibase's Builder Command Palette renders entity names (tables, views, queries, automations) using Svelte's {@html} directive without any sanitization. An authenticated user with Builder access can create a table, automation, view, or query whose name contains an HTML payload (e.g. <img src=x onerror=alert(document.domain)>). When any Builder-role user in the same workspace opens the Command Palette (Ctrl+K), the payload executes in their browser, stealing their session cookie and enabling full account takeover. This issue has been patched in version 3.32.5."}], "id": "CVE-2026-35218", "lastModified": "2026-04-08T21:18:49.067", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 8.7, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N", "version": "3.1"}, "exploitabilityScore": 2.3, "impactScore": 5.8, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-04-03T16:16:41.977", "references": [{"source": "security-advisories@github.com", "tags": ["Patch"], "url": "https://github.com/Budibase/budibase/commit/c9ccf0c19e5849f1bda96401aa33f97c99cd8cd6"}, {"source": "security-advisories@github.com", "tags": ["Issue Tracking", "Patch"], "url": "https://github.com/Budibase/budibase/pull/18243"}, {"source": "security-advisories@github.com", "tags": ["Product", "Release Notes"], "url": "https://github.com/Budibase/budibase/releases/tag/3.32.5"}, {"source": "security-advisories@github.com", "tags": ["Exploit", "Vendor Advisory"], "url": "https://github.com/Budibase/budibase/security/advisories/GHSA-gp5x-2v54-v2q5"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,3.32.5)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "budibase", "source": "cna", "vendor": "Budibase"}, "product": "budibase", "vendor": "budibase"}], "analysis": {"en": {"generated_at": "2026-04-03T18:50:51.573851+00:00", "value": {"mitigation_remediation": ["Upgrade Budibase to version 3.32.5 or later, which includes the patch for the unsanitized entity name rendering issue."], "summary": {"action": "Immediate Patch", "impact": "Account takeover via stored XSS"}, "threat_synthesis": {"affected_systems": "Any Budibase installation running a version prior to 3.32.5 is affected. The issue requires an authenticated user with Builder access to create an entity whose name contains the harmful payload. Once established, all users with Builder privileges in the same workspace who open the command palette can be impacted. The bug does not affect unauthenticated users or other roles outside the workspace. All Budibase deployments using the default open\u2011source build are potentially vulnerable until patched.", "description_and_impact": "Budibase\u2019s Builder command palette renders entity names with the Svelte {@html} directive without sanitization, creating a stored cross\u2011site scripting flaw. The flaw enables an authenticated Builder\u2011privileged user to create a table, view, query, or automation whose name contains malicious HTML. When any Builder\u2011role user opens the palette, the payload executes in the browser, allowing the attacker to read or steal the session cookie and ultimately perform a full account takeover. The weakness is a stored XSS (CWE\u201179).", "risk_and_exploitability": "The CVSS score is 8.7, indicating high severity. No EPSS score is provided, and the vulnerability is not listed in the CISA KEV catalog. Exploitation requires an attacker to obtain Builder privileges, inject a malicious name, and wait for other Builder\u2011role users to open the palette. Because the trigger is local to the client\u2019s browser, any user who accesses the command palette after the malicious entity is created is vulnerable. Internal threat actors or compromised credentials pose the highest risk, while external attackers would need to first compromise a Builder account to exploit the flaw."}}}}, "created": "2026-04-03T21:12:58.060914+00:00", "updated": "2026-04-03T21:15:10.303475+00:00", "vendors": ["budibase", "budibase$PRODUCT$budibase"]}