Arbitrary JavaScript Code Execution in Budibase Cloud Platform
CVE-2026-27702

9.9CRITICAL

Key Information:

Vendor

Budibase

Status
Budibase
Vendor
CVE Published:
25 February 2026

What is CVE-2026-27702?

Budibase, a low code platform for developing internal tools, has a code injection vulnerability affecting its cloud service prior to version 3.30.4. This vulnerability enables authenticated users, including those on the free tier, to execute arbitrary JavaScript code on the server due to unsafe evaluation of user-controlled view functions. The issue arises in the in-memory view filtering implementation, where user inputs are not properly sanitized. The potential impact is significant, as it can lead to unauthorized access to sensitive information, including database credentials and environmental secrets, allowing attackers to compromise the integrity of stored data. The vulnerability only affects Budibase Cloud deployments, as self-hosted instances utilize CouchDB views, which are not susceptible to this issue. Budibase has released a patch in version 3.30.4 addressing this security concern.

Affected Version(s)

budibase < 3.30.4

References

https://github.com/Budibase/budibase/security/advisories/...
x_refsource_CONFIRM
https://github.com/Budibase/budibase/pull/18087
x_refsource_MISC
https://github.com/Budibase/budibase/commit/348659810cf93...
x_refsource_MISC

CVSS V3.1

Score:
9.9
Severity:
CRITICAL
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
Low
User Interaction:
None
Scope:
Changed

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.