Budibase: CouchDB Reduce Injection via Unsanitized Calculation Parameter in V1 Views API
- Severity:
- Medium
Description
Affected Software: Budibase Affected Component: packages/server/src/api/controllers/view/viewBuilder.ts, packages/server/src/api/routes/view.ts CWE: CWE-94 (Improper Control of Generation of Code) Discovery Date: 2026-03-24
Recommendation
Update the @budibase/server package to the latest compatible version. Followings are version details:
- Affected version(s): < 3.38.1
- Patched version(s): 3.38.1
References
Related Issues
- Systeminformation has a Command Injection via unsanitized interface parameter in wifi.js retry path - CVE-2026-26280
- jsPDF has a PDF Object Injection via Unsanitized Input in addJS Method - CVE-2026-25755
- Axios: CRLF Injection in multipart/form-data body via unsanitized blob.type in formDataToStream - CVE-2026-42037
- Payload: Pre-Authentication Account Takeover via Parameter Injection in Password Recovery - payload - CVE-2026-34751
You might also like:
- Tags:
- npm
- @budibase/server
Anything's wrong? Let us know Last updated on May 18, 2026


