RCE in Budibase
CVE-2026-25044
Budibase is an open-source low-code platform. Prior to version 3.33.4, the bash automation step executes user-provided commands using execSync without proper sanitization or validation. User input is processed through processStringSync whi…
Vulnerability class: Command Injection (OS Command Injection)
EPSS: 0.001 (24.6th percentile) — read the EPSS interpretation.
Affected products
- Budibase — versions < 3.33.4
Weakness classification (CWE)
References
- https://github.com/Budibase/budibase/security/advisories/GHSA-gjw9-34gf-rp6m (x_refsource_CONFIRM)
- https://github.com/Budibase/budibase/releases/tag/3.33.2 (x_refsource_MISC)