oM noM Security Feeds cve
vulnerability context

CVE-2026-54350

CVSS 10.0 CRITICALEPSS 34%CWE-89

Budibase is an open-source low-code platform. Prior to 3.39.12, an unauthenticated visitor of any published Budibase app reads every document of the backing MongoDB, CouchDB, Elasticsearch, DynamoDB-PartiQL, or REST-with-JSON-body collection and, where the builder has published a PUBLIC write query, modifies every document of that collection with one HTTP request. enrichContext at packages/server/src/sdk/workspace/queries/queries.ts:121-138 substitutes parameter values into the raw JSON body of a query, then JSON.parses the result. The validator validateQueryInputs at packages/server/src/api/...

Published 2026-06-26 · last modified 2026-06-30

details

CISA KEV status
Not in catalog
CVSS v3
10.0 / CRITICAL
CVSS vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:N
EPSS
34% percentile (score 0.0043)
CWE
CWE-89

source mentions 2

source consensus

  • Bluesky:@cyberhub.blog
  • Bluesky
Want the 3-bullet summary of CVE-2026-54350, plus webhook alerts when KEV is updated? Pro is $10/mo.