Budibase: Command Injection in Bash Automation Step

Description

Location: packages/server/src/automations/steps/bash.ts

Recommendation

Update the @budibase/server package to the latest compatible version. Followings are version details:

• Affected version(s): < 3.33.4
• Patched version(s): 3.33.4

References

• GHSA-gjw9-34gf-rp6m
• CVE-2026-25044
• CWE-78
• CAPEC-310
• OWASP 2021-A3
• OWASP 2021-A6

Related Issues

• Budibase: Unauthenticated Remote Code Execution via Webhook Trigger and Bash Automation Step - CVE-2026-35216
• @budibase/server: Command Injection in PostgreSQL Dump Command - CVE-2026-25041
• Budibase: SSRF in AI Extract File Automation Step via Missing IP Blacklist Validation - CVE-2026-45548
• Budibase: CouchDB Reduce Injection via Unsanitized Calculation Parameter in V1 Views API - CVE-2026-45719

You might also like:

How do hackers hack websites?

10 Secure Coding Best Practices to Follow in Every Project

Update Cheat Sheet for Developers

Tags:

npm

@budibase/server