CVE-2026-25041

Name of the Vulnerable Software and Affected Versions Budibase versions prior to 3.23.22

Description Budibase is a low code platform that allows users to create internal tools, workflows, and admin panels. The PostgreSQL integration within Budibase constructs shell commands using user-controlled configuration values, such as the database name, host, and password, without adequate sanitization. Specifically, the password and other connection parameters are directly interpolated into a shell command within the packages/server/src/integrations/postgres.ts file (lines 529-531). An attacker who can control these database configuration values can inject shell commands. For example, manipulating the password or database name parameters could allow for arbitrary code execution, system compromise, and data exfiltration. The vulnerable code constructs a shell command using template literals, directly embedding the this.config.password value into the PGPASSWORD environment variable.

Recommendations Versions prior to 3.23.22 should be updated. Use environment variables for sensitive values instead of command-line arguments. Validate and sanitize all configuration values. Use proper escaping for shell arguments. Consider using a PostgreSQL library's native dump functionality instead of shell commands. Use execFile with proper argument handling, as shown in the example fix, to avoid shell injection.