Security Advisories for @budibase/server in npm
Critical
21 days ago
Budibase has nonymous NoSQL operator injection via published-app query templates
npm
@budibase/server
Critical
22 days ago
Budibase has arbitrary file read by workspace-builder via PWA-zip symlink upload
npm
@budibase/server
High
22 days ago
Budibase: Mass Assignment in Webhook Trigger Allows Cross-Workspace Automation Execution via appId Override
npm
@budibase/server
High
22 days ago
Budibase: Unauthenticated S3 signed upload URL generation allows arbitrary writes with stored datasource credentials
npm
@budibase/server
High
22 days ago
Budibase has an Account Impersonation Issue โ Chat Identity Link Hijacking via Missing Consent & CSRF
npm
@budibase/server
High
22 days ago
Budibase: SSRF via OAuth2 token endpoint URL reaches internal hosts and cloud metadata
npm
@budibase/server
High
about 1 month ago
Budibase: Basic app users can exfiltrate stored REST datasource auth by rewriting datasource base URL
npm
@budibase/server
High
about 1 month ago
Budibase: Webhook schema endpoint authorization bypass allows unauthenticated mutation of webhook and automation schema
npm
@budibase/server
Critical
about 1 month ago
Budibase: Workspace-scoped builder escalates to global admin via /api/public/v1/roles/assign
npm
@budibase/server
Moderate
about 1 month ago
Budibase: Unvalidated VectorDB Host Parameter Enables SSRF
npm
@budibase/server
High
about 1 month ago
Budibase: SSRF via OAuth2 Config Validation โ Missing fetchWithBlacklist Protection
npm
@budibase/server
Moderate
about 2 months ago
Budibase: CouchDB Reduce Injection via Unsanitized Calculation Parameter in V1 Views API
npm
@budibase/server
High
2 months ago
Budibase: SSRF Bypass via HTTP Redirect in REST Datasource Integration
npm
@budibase/server
High
2 months ago
Budibase: SSRF in AI Extract File Automation Step via Missing IP Blacklist Validation
npm
@budibase/server
Critical
3 months ago
Budibase: Unauthenticated Remote Code Execution via Webhook Trigger and Bash Automation Step
npm
@budibase/server
High
3 months ago
Budibase: Path traversal in plugin file upload enables arbitrary directory deletion and file write
npm
@budibase/server
High
4 months ago
@budibase/server: Command Injection in PostgreSQL Dump Command
npm
@budibase/server
Critical
over 2 years ago
Budibase affected by VM2 Constructor Escape Vulnerability
npm
@budibase/server
Potential
Moderate
almost 4 years ago
Budibase Improper Control of Dynamically-Managed Code Resources vulnerability
npm
@budibase/bbui, @budibase/builder, @budibase/worker