Merlijnw70

**Name of the Vulnerable Software and Affected Versions** Budibase versions prior to 3.38.1 **Description** The V1 Views API endpoint "/api/views" accepts a `calculation` parameter in the request body that is interpolated directly into a CouchDB reduce function definition without validation. While an internal `SCHEMA MAP` object defines valid calculation types such as `sum`, `count`, and `stats`, it is not used to validate the input. A user with Builder permissions can inject arbitrary JavaScript code, which is then executed within the CouchDB SpiderMonkey JavaScript engine when the view is queried. This allows for the execution of arbitrary code within the CouchDB sandbox and potential data exfiltration across the database, as the reduce function receives all matching document values. **Recommendations** Update to version 3.38.1. As a temporary workaround, restrict access to the "/api/views" endpoint to minimize the risk of exploitation.