Latest CVE Feed

Vulnerabilities published in the last 30 days. Filter by severity, exploit status, or attack vector.

Score
Vulnerability
Published
5.3 MEDIUM
CVE-2026-48148 — Budibase: Unvalidated VectorDB Host Parameter Enables SSRF

Budibase is an open-source low-code platform. Prior to 3.35.3, the VectorDB configuration endpoint in Budibase accepts a host parameter that undergoes no validation against internal IP ranges, reser…

Remote | Server-Side Request Forgery
May 27, 2026 May 27, 2026
May 27, 2026
May 27, 2026
6.5 MEDIUM
CVE-2026-48147 — Budibase: Unanchored Regex in `matchers.ts` Allows CSRF Bypass via Query String Injection…

Budibase is an open-source low-code platform. Prior to 3.35.4, the buildMatcherRegex() / matches() functions in packages/backend-core/src/middleware/matchers.ts route patterns are compiled into unanc…

Remote | Cross-Site Request Forgery
May 27, 2026 May 27, 2026
May 27, 2026
May 27, 2026
7.7 HIGH
CVE-2026-48146 — Budibase: SSRF via OAuth2 Config Validation — Missing fetchWithBlacklist Protection

Budibase is an open-source low-code platform. Prior to 3.39.0, the OAuth2 token fetch function in packages/server/src/sdk/workspace/oauth2/utils.ts uses raw fetch(config.url) with no SSRF protection.…

Remote | Server-Side Request Forgery
May 27, 2026 May 27, 2026
May 27, 2026
May 27, 2026
5.1 MEDIUM
CVE-2026-48128 — Budibase: SSRF via User-Controlled queryId in Automation Execute Query Step

Budibase is an open-source low-code platform. Prior to 3.39.0, the executeQuery automation step in Budibase accepts a queryId from automation step inputs and passes it directly to the query execution…

Remote | Server-Side Request Forgery
May 27, 2026 May 27, 2026
May 27, 2026
May 27, 2026
7.7 HIGH
CVE-2026-46427 — Budibase: Snowflake private key returned unmasked from datasource API to BASIC users

Budibase is an open-source low-code platform. Prior to 3.38.3, removeSecrets at packages/server/src/sdk/workspace/datasources/datasources.ts masks only datasource config fields whose schema type is D…

Remote | Information Disclosure
May 27, 2026 May 27, 2026
May 27, 2026
May 27, 2026
7.6 HIGH
CVE-2026-46426 — Budibase: Unrestricted Upload of File with Dangerous Type

Budibase is an open-source low-code platform. Prior to 3.38.2, the file upload endpoint POST /api/attachments/process does not enforce active-content restrictions for authenticated users. The checks …

budibase | Remote | Cross-Site Scripting
May 27, 2026 May 27, 2026
May 27, 2026
May 27, 2026
9.9 CRITICAL
CVE-2026-46425 — Budibase: SCIM endpoints lack role-based authorization, BASIC users CRUD tenant users

Budibase is an open-source low-code platform. Prior to 3.38.2, packages/worker/src/api/routes/global/scim.ts attaches only two middlewares to the SCIM router: requireSCIM (checks the Enterprise featu…

Remote | Authorization
May 27, 2026 May 27, 2026
May 27, 2026
May 27, 2026
4.2 MEDIUM
CVE-2026-46424 — Budibase: Missing Cache Invalidation on Public API Role Unassignment Allows Revoked Users…

Budibase is an open-source low-code platform. Prior to 3.38.2, the public API role unassignment endpoint (POST /api/public/v1/roles/unassign) updates user documents in CouchDB but does not invalidate…

Remote | Authorization
May 27, 2026 May 27, 2026
May 27, 2026
May 27, 2026
6.5 MEDIUM
CVE-2026-45719 — Budibase: CouchDB Reduce Injection via Unsanitized Calculation Parameter in V1 Views API

Budibase is an open-source low-code platform. Prior to 3.38.1, the V1 Views API (POST /api/views) accepts a calculation parameter from the request body that is interpolated directly into a CouchDB re…

Remote | Injection
May 27, 2026 May 27, 2026
May 27, 2026
May 27, 2026
5.4 MEDIUM
CVE-2026-45718 — Budibase: Row Action Trigger Bypasses View Row Filter Security Boundary Allowing Action o…

Budibase is an open-source low-code platform. Prior to 3.38.1, the row action trigger endpoint (POST /api/tables/:sourceId/actions/:actionId/trigger) fails to validate that the user-supplied rowId is…

budibase | Remote | Authorization
May 27, 2026 May 27, 2026
May 27, 2026
May 27, 2026
8.8 HIGH
CVE-2026-45717 — Budibase: `PUT /api/datasources/:datasourceId` is protected only by `TABLE/READ` permissi…

Budibase is an open-source low-code platform. Prior to 3.38.1, Budibase exposes a REST API for datasource management. The route PUT /api/datasources/:datasourceId is registered in the authorizedRoute…

Remote | Server-Side Request Forgery
May 27, 2026 May 27, 2026
May 27, 2026
May 27, 2026
8.8 HIGH
CVE-2026-45716 — Budibase: Builder-to-Admin Privilege Escalation via onboardUsers Endpoint Without SMTP Co…

Budibase is an open-source low-code platform. Prior to 3.38.1, the POST /api/global/users/onboard endpoint is protected by workspaceBuilderOrAdmin middleware, allowing any user with builder permissio…

Remote | Authorization
May 27, 2026 May 27, 2026
May 27, 2026
May 27, 2026
7.7 HIGH
CVE-2026-45715 — Budibase: SSRF Bypass via HTTP Redirect in REST Datasource Integration

Budibase is an open-source low-code platform. Prior to 3.38.1, the REST datasource integration (packages/server/src/integrations/rest.ts) follows HTTP redirects without re-checking the IP blacklist, …

Remote | Server-Side Request Forgery
May 27, 2026 May 27, 2026
May 27, 2026
May 27, 2026
7.7 HIGH
CVE-2026-45548 — Budibase: SSRF in AI Extract File Automation Step via Missing IP Blacklist Validation

Budibase is an open-source low-code platform. Prior to 3.34.8, the processUrlFile function in packages/server/src/automations/steps/ai/extract.ts uses fetch(fileUrl) directly without the IP blacklist…

Remote | Server-Side Request Forgery
May 27, 2026 May 27, 2026
May 27, 2026
May 27, 2026
7.5 HIGH
CVE-2026-45090 — Dalfox: Unauthenticated Remote DoS via Closed-Channel Write in `ParameterAnalysis` (serve…

Dalfox is a powerful open-source XSS scanner and utility focused on automation. Prior to 2.13.0, ParameterAnalysis in pkg/scanning/parameterAnalysis.go runs two sequential worker stages that both wri…

Remote | Denial of Service
May 27, 2026 May 27, 2026
May 27, 2026
May 27, 2026
8.2 HIGH
CVE-2026-45089 — Dalfox: Unauthenticated Arbitrary File Create/Append via `output` Option in Dalfox Server…

Dalfox is a powerful open-source XSS scanner and utility focused on automation. Prior to 2.13.0, when dalfox is run in REST API server mode, the output, output-all, and debug fields in model.Options …

Remote | Path Traversal
May 27, 2026 May 27, 2026
May 27, 2026
May 27, 2026
7.5 HIGH
CVE-2026-45088 — Dalfox: Unauthenticated Arbitrary File Read with Out-of-Band Exfiltration via `custom-pay…

Dalfox is a powerful open-source XSS scanner and utility focused on automation. Prior to 2.13.0, when dalfox is run in REST API server mode, the custom-payload-file field in model.Options is JSON-tag…

Remote | Cross-Site Scripting
May 27, 2026 May 27, 2026
May 27, 2026
May 27, 2026
10.0 CRITICAL
CVE-2026-45087 — Dalfox: Unauthenticated Remote Code Execution via `found-action` in Dalfox Server Mode

Dalfox is a powerful open-source XSS scanner and utility focused on automation. Prior to 2.13.0, when dalfox is started in REST API server mode (dalfox server), the server binds to 0.0.0.0:6664 by de…

Remote | Cross-Site Scripting
May 27, 2026 May 27, 2026
May 27, 2026
May 27, 2026
6.5 MEDIUM
CVE-2026-45081 — Frappe HR: Permission Bypass in HRMS Leave Details API

Frappe HR is an open-source human resources management solution (HRMS). Prior to 16.5.0, authenticated employees could access other employees’ leave details due to improper authorization checks. This…

Remote | Authorization
May 27, 2026 May 27, 2026
May 27, 2026
May 27, 2026
7.7 HIGH
CVE-2026-45061 — Budibase: SSRF via trivial `.tar.gz` substring bypass in Plugin URL upload (`/api/plugin`)

Budibase is an open-source low-code platform. Prior to 3.35.10, the Plugin URL upload endpoint (POST /api/plugin) validates the submitted URL with a single substring check: url.includes(".tar.gz"). A…

budibase | Remote | Server-Side Request Forgery
May 27, 2026 May 27, 2026
May 27, 2026
May 27, 2026
Showing 20 of 6573 Results