@budibase/server: Command Injection in PostgreSQL Dump Command

Description

Location: packages/server/src/integrations/postgres.ts:529-531

Recommendation

Update the @budibase/server package to the latest compatible version. Followings are version details:

• Affected version(s): < 3.23.32
• Patched version(s): 3.23.32

References

• GHSA-726g-59wr-cj4c
• CVE-2026-25041
• CWE-77
• CWE-78
• CAPEC-310
• OWASP 2021-A3
• OWASP 2021-A6

Related Issues

• Parse Server: SQL injection via dot-notation field name in PostgreSQL - CVE-2026-31840
• Parse Server has a SQL injection via query field name when using PostgreSQL - CVE-2026-32234
• Parse Server vulnerable to SQL Injection via dot-notation sub-key name in `Increment` operation on PostgreSQL - CVE-2026-31871
• Parse Server vulnerable to SQL injection via `Increment` operation on nested object field in PostgreSQL - CVE-2026-31856

Tags:

npm

@budibase/server