Budibase: CouchDB Reduce Injection via Unsanitized Calculation Parameter in V1 Views API
- Severity:
- Medium
Description
Affected Software: Budibase Affected Component: packages/server/src/api/controllers/view/viewBuilder.ts, packages/server/src/api/routes/view.ts CWE: CWE-94 (Improper Control of Generation of Code) Discovery Date: 2026-03-24
Recommendation
Update the @budibase/server package to the latest compatible version. Followings are version details:
- Affected version(s): < 3.38.1
- Patched version(s): 3.38.1
References
Related Issues
- Systeminformation has a Command Injection via unsanitized interface parameter in wifi.js retry path - CVE-2026-26280
- Budibase: `PUT /api/datasources/:datasourceId` is protected only by `TABLE/READ` permission instead of builder access, a - CVE-2026-45717
- i18next-locize-backend has URL Injection via Unsanitized Path Parameters - CVE-2026-41885
- Budibase: Command Injection in Bash Automation Step - CVE-2026-25044
You might also like:
- Tags:
- npm
- @budibase/server
Anything's wrong? Let us know Last updated on May 18, 2026