PT-2026-41797 · Npm+2 · @Budibase/Server+1

Merlijnw70

·

Published

2026-05-18

·

Updated

2026-05-27

·

CVE-2026-45719

CVSS v3.1

6.5

Medium

VectorAV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:N
Name of the Vulnerable Software and Affected Versions Budibase versions prior to 3.38.1
Description The V1 Views API endpoint "/api/views" accepts a calculation parameter in the request body that is interpolated directly into a CouchDB reduce function definition without validation. While an internal SCHEMA MAP object defines valid calculation types such as sum, count, and stats, it is not used to validate the input. A user with Builder permissions can inject arbitrary JavaScript code, which is then executed within the CouchDB SpiderMonkey JavaScript engine when the view is queried. This allows for the execution of arbitrary code within the CouchDB sandbox and potential data exfiltration across the database, as the reduce function receives all matching document values.
Recommendations Update to version 3.38.1. As a temporary workaround, restrict access to the "/api/views" endpoint to minimize the risk of exploitation.

Exploit

Fix

Code Injection

Found an issue in the description? Have something to add? Feel free to write us 👾

Weakness Enumeration

Related Identifiers

CVE-2026-45719
GHSA-363W-HVWH-W7M6

Affected Products

@Budibase/Server
Budibase