Stored Cross-Site Scripting Flaw in Budibase Low-Code Platform
CVE-2026-48149

8.1HIGH

Key Information:

Vendor: Budibase
Status: Budibase
Vendor: CVE Published:; 27 May 2026

What is CVE-2026-48149?

Budibase, an open-source low-code platform, contains a vulnerability that allows stored cross-site scripting (XSS) attacks due to improper rendering of markdown content. In versions prior to 3.39.0, the Text component generates HTML content directly from markdown input without applying any sanitization processes. This oversight enables any user with write access on an underlying database table to store malicious scripts, potentially compromising the integrity of the application and its users. The issue has been addressed in version 3.39.0, where proper sanitization measures have been implemented to mitigate the risk of such attacks.

Affected Version(s)

budibase < 3.39.0

References

https://github.com/Budibase/budibase/security/advisories/...

x_refsource_CONFIRM

CVSS V3.1

Score:

8.1

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
May 27, 2026
Vulnerability Reserved
May 20, 2026

CVE-2026-48149 Data

JSON