CVE-2026-48149— Budibase: Stored XSS in Text component: BASIC users execute JS in admin session via MarkdownViewer innerHTML + CDN+srcdoc CSP bypass

CVSS 8.1 · High Updated May 28, 2026

Possible ATT&CK Techniques 1AI

T1190 · Exploit Public-Facing Application

Affected Version Matrix 1

Vendor	Product	Version Range	Status
Budibase	budibase	`< 3.39.0`	affected

Get alerts for future matching vulnerabilitiesLog in to subscribe

Vulnerability Information

Have questions about the vulnerability? See if Shenlong's analysis helps!

View Shenlong Deep Dive ↗

Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.

Vulnerability Title

Budibase: Stored XSS in Text component: BASIC users execute JS in admin session via MarkdownViewer innerHTML + CDN+srcdoc CSP bypass

Source: NVD (National Vulnerability Database)

Vulnerability Description

Budibase is an open-source low-code platform. Prior to 3.39.0, the Budibase Text component renders markdown by assigning marked.parse(markdown) straight to innerHTML with no sanitizer (packages/bbui/src/Markdown/MarkdownViewer.svelte:22). Any column a builder binds to a Text component in Markdown mode is a stored-XSS sink writable by every BASIC app user with WRITE on the underlying table. This vulnerability is fixed in 3.39.0.

Source: NVD (National Vulnerability Database)

CVSS Information

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N

Source: NVD (National Vulnerability Database)

Vulnerability Type

在Web页面生成时对输入的转义处理不恰当(跨站脚本)

Source: NVD (National Vulnerability Database)

Affected Products

Vendor	Product	Affected Versions	CPE	Subscribe
Budibase	budibase	< 3.39.0	-

II. Public POCs for CVE-2026-48149

#	POC Description	Source Link	Shenlong Link

AI-Generated POCPremium

No public POC found.

III. Intelligence Information for CVE-2026-48149

请登录查看更多情报信息。

Vendor Advisories for CVE-2026-48149 (1)

🔗 Stored XSS in Text component: BASIC users execute JS in admin session via MarkdownViewer innerHTML + CDN+srcdoc CSP bypass · Advisory · Budibase/budibase · GitHub Read full article x_refsource_CONFIRM

https://nvd.nist.gov/vuln/detail/CVE-2026-48149

Same Patch Batch · Budibase · 2026-05-27 · 20 CVEs total

CVE-2026-46425	9.9 CRITICAL	Budibase: SCIM endpoints lack role-based authorization, BASIC users CRUD tenant users
CVE-2026-48150	9.0 CRITICAL	Budibase: Workspace-scoped builder escalates to global admin via /api/public/v1/roles/assi
CVE-2026-45716	8.8 HIGH	Budibase: Builder-to-Admin Privilege Escalation via onboardUsers Endpoint Without SMTP Con
CVE-2026-45717	8.8 HIGH	Budibase: `PUT /api/datasources/:datasourceId` is protected only by `TABLE/READ` permissio
CVE-2026-48153	8.5 HIGH	Budibase: SSRF via OAuth2 token endpoint URL reaches internal hosts and cloud metadata
CVE-2026-48152	8.1 HIGH	Budibase: Basic app users can exfiltrate stored REST datasource auth by rewriting datasour
CVE-2026-46427	7.7 HIGH	Budibase: Snowflake private key returned unmasked from datasource API to BASIC users
CVE-2026-45061	7.7 HIGH	Budibase: SSRF via trivial `.tar.gz` substring bypass in Plugin URL upload (`/api/plugin`)
CVE-2026-48146	7.7 HIGH	Budibase: SSRF via OAuth2 Config Validation — Missing fetchWithBlacklist Protection
CVE-2026-45548	7.7 HIGH	Budibase: SSRF in AI Extract File Automation Step via Missing IP Blacklist Validation
CVE-2026-45715	7.7 HIGH	Budibase: SSRF Bypass via HTTP Redirect in REST Datasource Integration
CVE-2026-46426	7.6 HIGH	Budibase: Unrestricted Upload of File with Dangerous Type
CVE-2026-48151	7.5 HIGH	Budibase: Webhook schema endpoint authorization bypass allows unauthenticated mutation of
CVE-2026-48147	6.5 MEDIUM	Budibase: Unanchored Regex in `matchers.ts` Allows CSRF Bypass via Query String Injection
CVE-2026-45719	6.5 MEDIUM	Budibase: CouchDB Reduce Injection via Unsanitized Calculation Parameter in V1 Views API
CVE-2026-45718	5.4 MEDIUM	Budibase: Row Action Trigger Bypasses View Row Filter Security Boundary Allowing Action on
CVE-2026-46424	4.2 MEDIUM	Budibase: Missing Cache Invalidation on Public API Role Unassignment Allows Revoked Users
CVE-2026-48128		Budibase: SSRF via User-Controlled queryId in Automation Execute Query Step
CVE-2026-48148		Budibase: Unvalidated VectorDB Host Parameter Enables SSRF

IV. Related Vulnerabilities

Same product: budibase

Same vendor: Budibase

Same weakness: CWE-79

V. Comments for CVE-2026-48149

No comments yet

Goal Reached Thanks to every supporter — we hit 100%!

CVE-2026-48149— Budibase: Stored XSS in Text component: BASIC users execute JS in admin session via MarkdownViewer innerHTML + CDN+srcdoc CSP bypass

Possible ATT&CK Techniques 1AI

Affected Version Matrix 1

I. Basic Information for CVE-2026-48149

Vulnerability Information

Vulnerability Title

Vulnerability Description

CVSS Information

Vulnerability Type

Affected Products

II. Public POCs for CVE-2026-48149

III. Intelligence Information for CVE-2026-48149

Vendor Advisories for CVE-2026-48149 (1)

Same Patch Batch · Budibase · 2026-05-27 · 20 CVEs total

IV. Related Vulnerabilities

V. Comments for CVE-2026-48149

Leave a comment