CVE-2026-48149
Deferred Deferred - Pending Action
Stored XSS in Budibase Text Component via Markdown

Publication date: 2026-05-27

Last updated on: 2026-05-28

Assigner: GitHub, Inc.

Description
Budibase is an open-source low-code platform. Prior to 3.39.0, the Budibase Text component renders markdown by assigning marked.parse(markdown) straight to innerHTML with no sanitizer (packages/bbui/src/Markdown/MarkdownViewer.svelte:22). Any column a builder binds to a Text component in Markdown mode is a stored-XSS sink writable by every BASIC app user with WRITE on the underlying table. This vulnerability is fixed in 3.39.0.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-05-27
Last Modified
2026-05-28
Generated
2026-06-17
AI Q&A
2026-05-27
EPSS Evaluated
2026-06-15
NVD
CVE-2026-48149
EUVD
EUVD-2026-32591
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
budibase budibase to 3.39.0 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-79 The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Compliance Impact

The vulnerability CVE-2026-48149 is a Stored Cross-Site Scripting (XSS) flaw that allows attackers to execute malicious scripts in the context of an admin session, potentially leading to full account takeover.

This can result in unauthorized access to sensitive data, including session cookies that are not protected with the httpOnly flag, increasing the risk of data breaches.

Such unauthorized access and potential data breaches can negatively impact compliance with common standards and regulations like GDPR and HIPAA, which require protection of personal and sensitive information against unauthorized access and disclosure.

Therefore, until fixed, this vulnerability poses a significant risk to maintaining compliance with these regulations due to the possibility of data exposure and account compromise.

Executive Summary

CVE-2026-48149 is a Stored Cross-Site Scripting (XSS) vulnerability in the Budibase low-code platform affecting versions before 3.39.0.

The issue occurs because the Text component renders markdown by directly assigning parsed markdown to the innerHTML property without sanitization, allowing malicious JavaScript code to be executed.

Attackers with BASIC user privileges who have WRITE access to the underlying table can upload malicious payloads that get stored and executed when viewed by other users, including administrators.

There are two attack variants: on Budibase Cloud, attackers upload a .mjs file to a shared CloudFront distribution trusted by the app's Content Security Policy (CSP), which is then loaded via an iframe in markdown; on self-hosted instances, attackers upload HTML files with inline scripts served without CSP headers, allowing direct script execution.

Impact Analysis

This vulnerability can lead to full account takeover because the malicious scripts can access session cookies that are not marked as httpOnly.

An attacker exploiting this flaw can execute arbitrary JavaScript in the context of other users, potentially stealing sensitive information, performing actions on behalf of victims, or compromising the integrity of the application.

Since the attack requires only BASIC user privileges with WRITE access, it poses a significant risk even from less privileged users.

Detection Guidance

Detection of this vulnerability involves checking if your Budibase instance is running a version prior to 3.39.0 and if the Text component is used in Markdown mode without sanitization.

You can look for suspicious markdown content that includes script tags or iframe elements in columns bound to the Text component.

On a self-hosted instance, you may inspect uploaded HTML files with inline scripts served without Content Security Policy headers.

Commands to help detect potential exploitation or presence of malicious payloads might include:

  • Using grep or similar tools to search for script tags or iframe elements in database fields or uploaded files, e.g., `grep -r '<script' /path/to/budibase/data` or `grep -r '<iframe' /path/to/budibase/data`.
  • Checking the Budibase version via the application or deployment metadata to confirm if it is older than 3.39.0.
  • Monitoring network traffic for requests to the shared CloudFront distribution (d2l5prqdbvm3op.cloudfront.net) that might indicate malicious `.mjs` file uploads.
Mitigation Strategies

The primary mitigation is to upgrade Budibase to version 3.39.0 or later, where this vulnerability is fixed.

Additional immediate steps include:

  • Sanitize markdown output using a library like DOMPurify to prevent unsafe HTML or scripts from being rendered.
  • Serve user-uploaded attachments with a `Content-Disposition: attachment` header to prevent them from being executed inline.
  • Separate user content from the script CDN to avoid shared origins that allow script execution.
  • Set the session cookies to `httpOnly: true` to prevent JavaScript access to session tokens.

Until the upgrade is applied, restrict WRITE permissions on tables bound to Text components in Markdown mode to trusted users only.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-48149. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart