← Volver a CVEs

CVE-2026-35218

HIGH

8.7

Descripcion

Budibase is an open-source low-code platform. Prior to version 3.32.5, Budibase's Builder Command Palette renders entity names (tables, views, queries, automations) using Svelte's {@html} directive without any sanitization. An authenticated user with Builder access can create a table, automation, view, or query whose name contains an HTML payload (e.g. <img src=x onerror=alert(document.domain)>). When any Builder-role user in the same workspace opens the Command Palette (Ctrl+K), the payload executes in their browser, stealing their session cookie and enabling full account takeover. This issue has been patched in version 3.32.5.

Detalles CVE

Puntuacion CVSS v3.18.7

SeveridadHIGH

Vector CVSSCVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N

Vector de ataqueNETWORK

ComplejidadLOW

Privilegios requeridosLOW

Interaccion usuarioREQUIRED

Publicado4/3/2026

Ultima modificacion4/3/2026

Fuentenvd

Avistamientos honeypot0

Debilidades (CWE)

CWE-79

Referencias

https://github.com/Budibase/budibase/commit/c9ccf0c19e5849f1bda96401aa33f97c99cd8cd6(security-advisories@github.com)

https://github.com/Budibase/budibase/pull/18243(security-advisories@github.com)

https://github.com/Budibase/budibase/releases/tag/3.32.5(security-advisories@github.com)

https://github.com/Budibase/budibase/security/advisories/GHSA-gp5x-2v54-v2q5(security-advisories@github.com)

Correlaciones IOC

Sin correlaciones registradas

This product uses data from the NVD API but is not endorsed or certified by the NVD.