CVE-2026-27702

Name of the Vulnerable Software and Affected Versions Budibase versions prior to 3.30.4

Description Budibase, a low-code platform for creating internal tools, workflows, and admin panels, contains an unsafe eval() vulnerability in its view filtering implementation. This issue affects Budibase Cloud (SaaS) deployments only; self-hosted deployments using native CouchDB views are not vulnerable. The vulnerability resides in packages/server/src/db/inMemoryView.ts, where user-controlled view map functions are directly evaluated without sanitization. An authenticated user, even with a free tier account, can execute arbitrary JavaScript code on the server. The app-service pod runs with sensitive information in its environment variables, including INTERNAL API KEY, JWT SECRET, CouchDB admin credentials, and AWS keys. Exploitation allows access to the CouchDB database, enumeration of tenant databases, and retrieval of user records, such as email addresses. The vulnerability is triggered through the view filter mechanism, where a malicious filter value can inject JavaScript code. The view.map parameter, originating from user input when creating table views with filters, is concatenated with a string and passed to eval(), enabling arbitrary JavaScript execution.

Recommendations Update Budibase to version 3.30.4 or later.