Budibase patches stored XSS in Builder command palette
TL;DR — A stored XSS sink in Budibase’s Builder Command Palette can let a low-privilege Builder persist HTML payloads in entity names and execute them in other builders’ browsers (session theft/account takeover).
What happened
Budibase is an open-source low-code platform for building internal tools and automations, with a web-based “Builder” UI for designing apps.
CVE-2026-35218 describes a stored XSS issue in Budibase’s Builder Command Palette (opened via Ctrl+K / Cmd+K). The palette renders entity names (e.g., tables, views, queries, automations) using Svelte’s {@html} without sanitization; a Builder-role attacker can store an HTML payload in an entity name and have it execute when another Builder/Admin opens the palette, enabling session cookie theft and “full account takeover” per the advisory. (raw.githubusercontent.com)
This is a high-signal finding because it turns a “developer UX” feature (global command palette) into a cross-workspace execution sink: once a single malicious entity name exists, it can target every privileged user who uses the palette. Unsafe HTML rendering in admin/builder consoles remains a recurring real-world pivot for privilege escalation and lateral movement in internal platform tooling. (raw.githubusercontent.com)
Who is impacted
- Budibase deployments where untrusted or semi-trusted users have Builder access and can create/rename entities rendered by the Command Palette. (raw.githubusercontent.com)
- Affected versions vary slightly by source; treat this as a scoping ambiguity and prioritize vendor guidance and your own asset inventory:
| Component | Affected versions (per CVE record) | Affected versions (as listed in GHSA UI) | Patched version referenced by sources |
|---|---|---|---|
budibase | < 3.32.5 (raw.githubusercontent.com) | <= 3.31.1 (github.com) | 3.32.5 (raw.githubusercontent.com) |
What to do now
- Follow vendor remediation guidance and apply the latest patched release available at the time of writing.
-
"This issue has been patched in version 3.32.5." (raw.githubusercontent.com)
-
- Inventory Budibase instances and identify where Builder access is broadly granted (including contractors / shared workspaces); reduce Builder scope until patched where feasible, since Builder is the minimum privilege needed to persist the payload. (raw.githubusercontent.com)
- Hunt for malicious entity names in the Builder datastore/UI (tables/views/queries/automations) containing HTML (e.g.,
<img ... onerror=...>patterns) and review recent entity-creation/rename activity around the time suspicious Builder sessions occurred. (github.com) - If compromise is suspected, treat it as a session integrity incident: invalidate sessions for Builder/Admin users in the impacted workspace(s) and rotate credentials reachable from those sessions (tokens in the builder environment, connected datasource credentials, etc.). (raw.githubusercontent.com)
Content is AI-assisted and reviewed by our team, but issues may be missed and best practices evolve rapidly, send corrections to [email protected]. Always consult official documentation and validate key implementation decisions before making design or security choices.