CVE-2026-48149 HIGH

CVE-2026-48149: Budibase: Stored XSS in Text component: BASIC users execute JS in admin session via MarkdownViewer innerHTML + CDN+srcdoc CSP bypass

Vendor Budibase
Product budibase
Weakness CWE-79 · XSS
Published May 27, 2026
Last update May 28, 2026
View on NVD All CVEs

CVSS base score

8.1/10
Attack vector Network
Attack complexity Low
Privileges required Low
User interaction None
Confidentiality High
Integrity High

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N

What the vulnerability does

01Description

Budibase is an open-source low-code platform. Prior to 3.39.0, the Budibase Text component renders markdown by assigning marked.parse(markdown) straight to innerHTML with no sanitizer (packages/bbui/src/Markdown/MarkdownViewer.svelte:22). Any column a builder binds to a Text component in Markdown mode is a stored-XSS sink writable by every BASIC app user with WRITE on the underlying table. This vulnerability is fixed in 3.39.0.

Key dates

02Disclosure timeline

May 27, 2026 CVE published
May 28, 2026 Record updated

Related vulnerabilities

04Related CVE

CVE-2022-45836 WordPress Download Manager Plugin <= 3.2.59 is vulnerable to Cross Site Scripting (XSS) CVE-2024-10176 Compact WP Audio Player <= 1.9.13 - Authenticated (Contributor+) Stored Cross-Site Scripting via sc_embed_player Shortcode CVE-2023-26534 WordPress WP Repost Plugin <= 0.1 is vulnerable to Cross Site Scripting (XSS) CVE-2022-1164 Wyzi < 2.4.3 - Reflected Cross-Site Scripting (XSS) CVE-2024-53261 Cross-Site Scripting attack (XSS) on dev mode 404 page in SvelteKit