CVE-2026-35218
Received Received - Intake
Cross-Site Scripting in Budibase Builder Enables Account Takeover

Publication date: 2026-04-03

Last updated on: 2026-04-08

Assigner: GitHub, Inc.

Description
Budibase is an open-source low-code platform. Prior to version 3.32.5, Budibase's Builder Command Palette renders entity names (tables, views, queries, automations) using Svelte's {@html} directive without any sanitization. An authenticated user with Builder access can create a table, automation, view, or query whose name contains an HTML payload (e.g. <img src=x onerror=alert(document.domain)>). When any Builder-role user in the same workspace opens the Command Palette (Ctrl+K), the payload executes in their browser, stealing their session cookie and enabling full account takeover. This issue has been patched in version 3.32.5.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-04-03
Last Modified
2026-04-08
Generated
2026-05-07
AI Q&A
2026-04-03
EPSS Evaluated
2026-05-05
NVD
CVE-2026-35218
EUVD
EUVD-2026-18797
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
budibase budibase to 3.32.5 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-79 The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.
Attack-Flow Graph
AI Powered Q&A
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:

CVE-2026-35218 is a stored Cross-Site Scripting (XSS) vulnerability that allows an authenticated user with Builder access to inject malicious scripts into entity names. When other users open the affected Command Palette, these scripts execute in their browsers, enabling session cookie theft and full account takeover.

Such unauthorized access and session hijacking can lead to exposure of sensitive user data and unauthorized actions within the application, which may violate data protection requirements under standards like GDPR and HIPAA.

Specifically, the vulnerability compromises confidentiality and integrity of user sessions, potentially resulting in unauthorized disclosure or modification of personal or protected health information.

Therefore, until patched, this vulnerability poses a significant risk to compliance with regulations that mandate protection of user data and secure access controls.


Can you explain this vulnerability to me?

This vulnerability exists in Budibase, an open-source low-code platform, prior to version 3.32.5. The Builder Command Palette renders entity names (such as tables, views, queries, and automations) using Svelte's {@html} directive without sanitizing the input. An authenticated user with Builder access can create an entity with a name containing malicious HTML code (for example, an image tag with an onerror JavaScript event). When another Builder-role user opens the Command Palette, this malicious code executes in their browser.

The execution of this code can steal the victim's session cookie, allowing an attacker to take over their account. This vulnerability is a form of cross-site scripting (XSS) that enables full account takeover within the same workspace.


How can this vulnerability impact me? :

This vulnerability can lead to a full account takeover for users with Builder roles in the same workspace. An attacker who exploits this issue can steal session cookies by injecting malicious HTML payloads into entity names. This compromises user accounts, potentially exposing sensitive data and allowing unauthorized actions within the Budibase platform.


What immediate steps should I take to mitigate this vulnerability?

To mitigate this vulnerability, upgrade Budibase to version 3.32.5 or later, where the issue has been patched.

Additionally, restrict Builder access to trusted users only, as the vulnerability requires authenticated Builder role access.


How can this vulnerability be detected on my network or system? Can you suggest some commands?

This vulnerability can be detected by checking if your Budibase instance is running a version prior to 3.32.5, where the Builder Command Palette renders entity names using unsafe HTML rendering via Svelte's {@html} directive.

To detect exploitation attempts or presence of malicious payloads, you can inspect the names of entities such as tables, views, queries, or automations for suspicious HTML or JavaScript code.

Specifically, you can use API calls to list these entities and examine their names for embedded HTML tags or scripts.

  • Use curl or similar tools to query the API endpoints that accept entity names, for example:
  • curl -X GET https://your-budibase-instance/api/tables -H 'Authorization: Bearer <token>'
  • curl -X GET https://your-budibase-instance/api/views -H 'Authorization: Bearer <token>'
  • curl -X GET https://your-budibase-instance/api/queries -H 'Authorization: Bearer <token>'
  • curl -X GET https://your-budibase-instance/api/automations -H 'Authorization: Bearer <token>'

Review the returned JSON for any entity names containing suspicious HTML tags such as <img>, <script>, or event handlers like onerror.

Additionally, monitoring browser activity for unexpected script execution when opening the Command Palette (Ctrl+K) can help detect exploitation.

Since the vulnerability requires authenticated Builder access, ensure that Builder users are monitored for creation of entities with suspicious names.


Ask Our AI Assistant
Need more information? Ask your question to get an AI reply (Powered by our expertise)
0/70
EPSS Chart