Platform
nodejs
Component
budibase
Fixed in
3.32.6
CVE-2026-35218 is a cross-site scripting (XSS) vulnerability discovered in Budibase, an open-source low-code platform. This vulnerability allows an authenticated attacker with Builder access to inject malicious HTML into entity names, leading to potential session cookie theft and complete account takeover. The vulnerability affects versions of Budibase up to and including 3.32.5, and a fix is available in version 3.32.5.
The impact of CVE-2026-35218 is significant due to its potential for full account compromise. An attacker can craft a table, automation, view, or query name containing a malicious HTML payload, such as <img src=x onerror=alert(document.domain)>. When any user with Builder access opens the Command Palette (Ctrl+K), the payload executes within their browser context. This execution allows the attacker to steal the user's session cookie, effectively granting them complete control over the affected user's Budibase account. This could lead to unauthorized data access, modification, or deletion, as well as the creation of new malicious entities within the platform.
CVE-2026-35218 was publicly disclosed on 2026-04-03. There is currently no indication of active exploitation in the wild, but the ease of exploitation and the potential for account takeover make it a high-priority vulnerability. No public proof-of-concept (PoC) code has been released as of this writing. The vulnerability is not currently listed on the CISA KEV catalog.
Exploit Status
EPSS
0.03% (9% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2026-35218 is to upgrade Budibase to version 3.32.5 or later. This version includes a fix that properly sanitizes entity names before rendering them, preventing the execution of malicious HTML payloads. If upgrading immediately is not feasible, consider restricting Builder access to only trusted users. While not a complete solution, this limits the potential attack surface. Monitor Command Palette usage for unusual activity. There are no specific WAF rules or detection signatures readily available, but monitoring for unusual JavaScript execution within the Command Palette could be a proactive measure. After upgrading, confirm the fix by creating a test entity with a malicious payload in its name and verifying that the payload does not execute when the Command Palette is opened.
Update Budibase to version 3.32.5 or higher. This version fixes the stored XSS vulnerability in the Builder Command Palette. The update will prevent malicious code from executing in the browsers of Builder-role users.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2026-35218 is a cross-site scripting (XSS) vulnerability in Budibase versions up to 3.32.5. It allows attackers to inject malicious HTML via entity names, potentially leading to account takeover.
You are affected if you are using Budibase versions 3.32.5 or earlier. Upgrade to 3.32.5 to resolve the vulnerability.
Upgrade Budibase to version 3.32.5 or later. This version includes a fix that sanitizes entity names and prevents the XSS vulnerability.
There is currently no evidence of active exploitation in the wild, but the vulnerability's potential impact warrants immediate attention and patching.
Refer to the official Budibase security advisory for detailed information and updates: [https://budibase.com/security/advisories/CVE-2026-35218](https://budibase.com/security/advisories/CVE-2026-35218)
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.