CVE-2026-25044

EUVD-2026-18754
Budibase is an open-source low-code platform. Prior to version 3.33.4, the bash automation step executes user-provided commands using execSync without proper sanitization or validation. User input is processed through processStringSync which allows template interpolation, potentially allowing arbitrary command execution. This issue has been patched in version 3.33.4.
OS Command Injection
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTPrimary
8.7 HIGH
NETWORK
LOW
LOW
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
Base Score
CVSS 3.x
EPSS Score
Percentile: Unknown
Affected Products (NVD)
VendorProductVersion
budibasebudibase
𝑥
< 3.33.4
𝑥
= Vulnerable software versions
Common Weakness Enumeration
References
https://github.com/Budibase/budibase/releases/tag/3.33.2
https://github.com/Budibase/budibase/security/advisories/GHSA-gjw9-34gf-rp6m