CVE-2026-35218
Received Received - Intake

Cross-Site Scripting in Budibase Builder Enables Account Takeover

Vulnerability report for CVE-2026-35218, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-04-03

Last updated on: 2026-04-08

Assigner: GitHub, Inc.

Description

Budibase is an open-source low-code platform. Prior to version 3.32.5, Budibase's Builder Command Palette renders entity names (tables, views, queries, automations) using Svelte's {@html} directive without any sanitization. An authenticated user with Builder access can create a table, automation, view, or query whose name contains an HTML payload (e.g. <img src=x onerror=alert(document.domain)>). When any Builder-role user in the same workspace opens the Command Palette (Ctrl+K), the payload executes in their browser, stealing their session cookie and enabling full account takeover. This issue has been patched in version 3.32.5.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-04-03
Last Modified
2026-04-08
Generated
2026-07-06
AI Q&A
2026-04-03
EPSS Evaluated
2026-07-05
NVD
EUVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
budibase budibase to 3.32.5 (exc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-79 The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Compliance Impact

CVE-2026-35218 is a stored Cross-Site Scripting (XSS) vulnerability that allows an authenticated user with Builder access to inject malicious scripts into entity names. When other users open the affected Command Palette, these scripts execute in their browsers, enabling session cookie theft and full account takeover.

Such unauthorized access and session hijacking can lead to exposure of sensitive user data and unauthorized actions within the application, which may violate data protection requirements under standards like GDPR and HIPAA.

Specifically, the vulnerability compromises confidentiality and integrity of user sessions, potentially resulting in unauthorized disclosure or modification of personal or protected health information.

Therefore, until patched, this vulnerability poses a significant risk to compliance with regulations that mandate protection of user data and secure access controls.

Executive Summary

This vulnerability exists in Budibase, an open-source low-code platform, prior to version 3.32.5. The Builder Command Palette renders entity names (such as tables, views, queries, and automations) using Svelte's {@html} directive without sanitizing the input. An authenticated user with Builder access can create an entity with a name containing malicious HTML code (for example, an image tag with an onerror JavaScript event). When another Builder-role user opens the Command Palette, this malicious code executes in their browser.

The execution of this code can steal the victim's session cookie, allowing an attacker to take over their account. This vulnerability is a form of cross-site scripting (XSS) that enables full account takeover within the same workspace.

Impact Analysis

This vulnerability can lead to a full account takeover for users with Builder roles in the same workspace. An attacker who exploits this issue can steal session cookies by injecting malicious HTML payloads into entity names. This compromises user accounts, potentially exposing sensitive data and allowing unauthorized actions within the Budibase platform.

Mitigation Strategies

To mitigate this vulnerability, upgrade Budibase to version 3.32.5 or later, where the issue has been patched.

Additionally, restrict Builder access to trusted users only, as the vulnerability requires authenticated Builder role access.

Detection Guidance

This vulnerability can be detected by checking if your Budibase instance is running a version prior to 3.32.5, where the Builder Command Palette renders entity names using unsafe HTML rendering via Svelte's {@html} directive.

To detect exploitation attempts or presence of malicious payloads, you can inspect the names of entities such as tables, views, queries, or automations for suspicious HTML or JavaScript code.

Specifically, you can use API calls to list these entities and examine their names for embedded HTML tags or scripts.

  • Use curl or similar tools to query the API endpoints that accept entity names, for example:
  • curl -X GET https://your-budibase-instance/api/tables -H 'Authorization: Bearer <token>'
  • curl -X GET https://your-budibase-instance/api/views -H 'Authorization: Bearer <token>'
  • curl -X GET https://your-budibase-instance/api/queries -H 'Authorization: Bearer <token>'
  • curl -X GET https://your-budibase-instance/api/automations -H 'Authorization: Bearer <token>'

Review the returned JSON for any entity names containing suspicious HTML tags such as <img>, <script>, or event handlers like onerror.

Additionally, monitoring browser activity for unexpected script execution when opening the Command Palette (Ctrl+K) can help detect exploitation.

Since the vulnerability requires authenticated Builder access, ensure that Builder users are monitored for creation of entities with suspicious names.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-35218. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart