CVE-2026-48149
Stored XSS in Budibase Text Component via Markdown
Publication date: 2026-05-27
Last updated on: 2026-05-27
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| budibase | budibase | to 3.39.0 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-79 | The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users. |
Attack-Flow Graph
AI Powered Q&A
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The vulnerability CVE-2026-48149 is a Stored Cross-Site Scripting (XSS) flaw that allows attackers to execute malicious scripts in the context of an admin session, potentially leading to full account takeover.
This can result in unauthorized access to sensitive data, including session cookies that are not protected with the httpOnly flag, increasing the risk of data breaches.
Such unauthorized access and potential data breaches can negatively impact compliance with common standards and regulations like GDPR and HIPAA, which require protection of personal and sensitive information against unauthorized access and disclosure.
Therefore, until fixed, this vulnerability poses a significant risk to maintaining compliance with these regulations due to the possibility of data exposure and account compromise.
Can you explain this vulnerability to me?
CVE-2026-48149 is a Stored Cross-Site Scripting (XSS) vulnerability in the Budibase low-code platform affecting versions before 3.39.0.
The issue occurs because the Text component renders markdown by directly assigning parsed markdown to the innerHTML property without sanitization, allowing malicious JavaScript code to be executed.
Attackers with BASIC user privileges who have WRITE access to the underlying table can upload malicious payloads that get stored and executed when viewed by other users, including administrators.
There are two attack variants: on Budibase Cloud, attackers upload a .mjs file to a shared CloudFront distribution trusted by the app's Content Security Policy (CSP), which is then loaded via an iframe in markdown; on self-hosted instances, attackers upload HTML files with inline scripts served without CSP headers, allowing direct script execution.
How can this vulnerability impact me? :
This vulnerability can lead to full account takeover because the malicious scripts can access session cookies that are not marked as httpOnly.
An attacker exploiting this flaw can execute arbitrary JavaScript in the context of other users, potentially stealing sensitive information, performing actions on behalf of victims, or compromising the integrity of the application.
Since the attack requires only BASIC user privileges with WRITE access, it poses a significant risk even from less privileged users.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
Detection of this vulnerability involves checking if your Budibase instance is running a version prior to 3.39.0 and if the Text component is used in Markdown mode without sanitization.
You can look for suspicious markdown content that includes script tags or iframe elements in columns bound to the Text component.
On a self-hosted instance, you may inspect uploaded HTML files with inline scripts served without Content Security Policy headers.
Commands to help detect potential exploitation or presence of malicious payloads might include:
- Using grep or similar tools to search for script tags or iframe elements in database fields or uploaded files, e.g., `grep -r '<script' /path/to/budibase/data` or `grep -r '<iframe' /path/to/budibase/data`.
- Checking the Budibase version via the application or deployment metadata to confirm if it is older than 3.39.0.
- Monitoring network traffic for requests to the shared CloudFront distribution (d2l5prqdbvm3op.cloudfront.net) that might indicate malicious `.mjs` file uploads.
What immediate steps should I take to mitigate this vulnerability?
The primary mitigation is to upgrade Budibase to version 3.39.0 or later, where this vulnerability is fixed.
Additional immediate steps include:
- Sanitize markdown output using a library like DOMPurify to prevent unsafe HTML or scripts from being rendered.
- Serve user-uploaded attachments with a `Content-Disposition: attachment` header to prevent them from being executed inline.
- Separate user content from the script CDN to avoid shared origins that allow script execution.
- Set the session cookies to `httpOnly: true` to prevent JavaScript access to session tokens.
Until the upgrade is applied, restrict WRITE permissions on tables bound to Text components in Markdown mode to trusted users only.