CVE-2026-25043

Name of the Vulnerable Software and Affected Versions Budibase versions prior to 3.23.25

Description Budibase, an open-source low-code platform, contains a business logic issue in its password reset functionality. The “Forgot Password” endpoint lacks rate limiting, CAPTCHA, or abuse prevention mechanisms. An unauthenticated attacker can repeatedly trigger password reset requests for the same email address, leading to a large number of password reset emails being sent in a short period. This can result in email flooding, user harassment, and denial of service (DoS) against user inboxes, potentially causing financial and reputational damage.

Recommendations Update Budibase to version 3.23.25 or later.