Executive Summary

This vulnerability exists in Budibase, an open-source low-code platform, prior to version 3.32.5. The Builder Command Palette renders entity names (such as tables, views, queries, and automations) using Svelte's {@html} directive without sanitizing the input. An authenticated user with Builder access can create an entity with a name containing malicious HTML code (for example, an image tag with an onerror JavaScript event). When another Builder-role user opens the Command Palette, this malicious code executes in their browser.

The execution of this code can steal the victim's session cookie, allowing an attacker to take over their account. This vulnerability is a form of cross-site scripting (XSS) that enables full account takeover within the same workspace.

Useful 0 Not Useful 0

Impact Analysis

This vulnerability can lead to a full account takeover for users with Builder roles in the same workspace. An attacker who exploits this issue can steal session cookies by injecting malicious HTML payloads into entity names. This compromises user accounts, potentially exposing sensitive data and allowing unauthorized actions within the Budibase platform.

Useful 0 Not Useful 0

Mitigation Strategies

To mitigate this vulnerability, upgrade Budibase to version 3.32.5 or later, where the issue has been patched.

Additionally, restrict Builder access to trusted users only, as the vulnerability requires authenticated Builder role access.

Useful 0 Not Useful 0

Compliance Impact

CVE-2026-35218 is a stored Cross-Site Scripting (XSS) vulnerability that allows an authenticated user with Builder access to inject malicious scripts into entity names. When other users open the affected Command Palette, these scripts execute in their browsers, enabling session cookie theft and full account takeover.

Such unauthorized access and session hijacking can lead to exposure of sensitive user data and unauthorized actions within the application, which may violate data protection requirements under standards like GDPR and HIPAA.

Specifically, the vulnerability compromises confidentiality and integrity of user sessions, potentially resulting in unauthorized disclosure or modification of personal or protected health information.

Therefore, until patched, this vulnerability poses a significant risk to compliance with regulations that mandate protection of user data and secure access controls.

Useful 0 Not Useful 0

Detection Guidance

This vulnerability can be detected by checking if your Budibase instance is running a version prior to 3.32.5, where the Builder Command Palette renders entity names using unsafe HTML rendering via Svelte's {@html} directive.

To detect exploitation attempts or presence of malicious payloads, you can inspect the names of entities such as tables, views, queries, or automations for suspicious HTML or JavaScript code.

Specifically, you can use API calls to list these entities and examine their names for embedded HTML tags or scripts.

• Use curl or similar tools to query the API endpoints that accept entity names, for example:
• curl -X GET https://your-budibase-instance/api/tables -H 'Authorization: Bearer <token>'
• curl -X GET https://your-budibase-instance/api/views -H 'Authorization: Bearer <token>'
• curl -X GET https://your-budibase-instance/api/queries -H 'Authorization: Bearer <token>'
• curl -X GET https://your-budibase-instance/api/automations -H 'Authorization: Bearer <token>'

Review the returned JSON for any entity names containing suspicious HTML tags such as <img>, <script>, or event handlers like onerror.

Additionally, monitoring browser activity for unexpected script execution when opening the Command Palette (Ctrl+K) can help detect exploitation.

Since the vulnerability requires authenticated Builder access, ensure that Builder users are monitored for creation of entities with suspicious names.

Useful 0 Not Useful 0