CVE-2026-45719 | THREATINT

Description

Budibase is an open-source low-code platform. Prior to 3.38.1, the V1 Views API (POST /api/views) accepts a calculation parameter from the request body that is interpolated directly into a CouchDB reduce function definition without validation. Although an internal SCHEMA_MAP object defines the valid calculation types (sum, count, stats), no actual validation is performed against this map before the value is used in string interpolation. A user with Builder permissions can inject arbitrary JavaScript code that will be executed within the CouchDB JavaScript engine when the view is queried. This vulnerability is fixed in 3.38.1.

PUBLISHED Reserved 2026-05-13 | Published 2026-05-27 | Updated 2026-05-27 | Assigner GitHub_M

MEDIUM: 6.5CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:N

Problem types

CWE-94: Improper Control of Generation of Code ('Code Injection')

Product status

< 3.38.1

affected

References

github.com/...dibase/security/advisories/GHSA-363w-hvwh-w7m6 exploit

github.com/...dibase/security/advisories/GHSA-363w-hvwh-w7m6

github.com/Budibase/budibase/releases/tag/3.38.1

cve.org (CVE-2026-45719)

nvd.nist.gov (CVE-2026-45719)

Download JSON