CVE-2026-45719 MEDIUM

CVE-2026-45719: Budibase: CouchDB Reduce Injection via Unsanitized Calculation Parameter in V1 Views API

Vendor Budibase
Product budibase
Weakness CWE-94 · Code injection
Published May 27, 2026
Last update May 27, 2026

CVSS base score

6.5/10
Attack vector Network
Attack complexity Low
Privileges required High
User interaction None
Confidentiality High
Integrity High

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:N

What the vulnerability does

01Description

Budibase is an open-source low-code platform. Prior to 3.38.1, the V1 Views API (POST /api/views) accepts a calculation parameter from the request body that is interpolated directly into a CouchDB reduce function definition without validation. Although an internal SCHEMA_MAP object defines the valid calculation types (sum, count, stats), no actual validation is performed against this map before the value is used in string interpolation. A user with Builder permissions can inject arbitrary JavaScript code that will be executed within the CouchDB JavaScript engine when the view is queried. This vulnerability is fixed in 3.38.1.

Key dates

02Disclosure timeline

May 27, 2026 CVE published
May 27, 2026 Record updated