CVE-2026-35218 HIGH

CVE-2026-35218: Budibase: Stored XSS via unsanitized entity names rendered with {@html} in Builder Command Palette

Vendor Budibase

Product budibase

Weakness CWE-79 · XSS

Published April 3, 2026

Last update April 3, 2026

View on NVD All CVEs

CVSS base score

8.7/10

Attack vector Network

Attack complexity Low

Privileges required Low

User interaction Required

Confidentiality High

Integrity High

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N

What the vulnerability does

01Description

Budibase is an open-source low-code platform. Prior to version 3.32.5, Budibase's Builder Command Palette renders entity names (tables, views, queries, automations) using Svelte's {@html} directive without any sanitization. An authenticated user with Builder access can create a table, automation, view, or query whose name contains an HTML payload (e.g. <img src=x onerror=alert(document.domain)>). When any Builder-role user in the same workspace opens the Command Palette (Ctrl+K), the payload executes in their browser, stealing their session cookie and enabling full account takeover. This issue has been patched in version 3.32.5.

Key dates

02Disclosure timeline

April 3, 2026 CVE published

April 3, 2026 Record updated

External resources

03References

NVD — National Vulnerability Database https://nvd.nist.gov/vuln/detail/CVE-2026-35218 CWE — Common Weakness Enumeration https://cwe.mitre.org/data/definitions/79.html

Related vulnerabilities

CVE-2026-35218: Budibase: Stored XSS via unsanitized entity names rendered with {@html} in Builder Command Palette

01Description

02Disclosure timeline

03References

04Related CVE