CVE-2026-35218

Name of the Vulnerable Software and Affected Versions Budibase versions prior to 3.32.5

Description Budibase, an open-source low-code platform, had a critical issue in its Builder Command Palette. Before version 3.32.5, entity names (tables, views, queries, automations) were rendered using Svelte's {@html} directive without proper sanitization. An authenticated user with Builder access could create an entity with a malicious HTML payload (e.g., ) in its name. When another Builder-role user opened the Command Palette (Ctrl+K), this payload would execute in their browser, potentially stealing their session cookie and allowing for full account takeover.

Recommendations Update Budibase to version 3.32.5 or later.