CVE-2026-48149

Name of the Vulnerable Software and Affected Versions Budibase versions prior to 3.39.0

Description The Text component in this open-source low-code platform renders markdown by assigning the output of the marked.parse(markdown) function directly to innerHTML without using a sanitizer. This creates a stored Cross-Site Scripting (XSS) sink, where XSS is a flaw that allows an attacker to inject malicious scripts into web pages viewed by other users. Any column bound to a Text component in Markdown mode can be exploited by any basic application user who has write permissions on the underlying table.

Recommendations Update to version 3.39.0.