CVE-2026-35218 Overview
CVE-2026-35218 is a stored Cross-Site Scripting (XSS) vulnerability in Budibase, an open-source low-code platform. The vulnerability exists in the Builder Command Palette, which renders entity names (tables, views, queries, automations) using Svelte's {@html} directive without proper sanitization. An authenticated user with Builder access can inject malicious HTML/JavaScript payloads into entity names, which execute when other Builder-role users in the same workspace open the Command Palette.
Critical Impact
This stored XSS vulnerability enables session cookie theft and full account takeover of any Builder-role user who opens the Command Palette in a compromised workspace.
Affected Products
- Budibase versions prior to 3.32.5
Discovery Timeline
- 2026-04-03 - CVE-2026-35218 published to NVD
- 2026-04-08 - Last updated in NVD database
Technical Details for CVE-2026-35218
Vulnerability Analysis
This stored XSS vulnerability arises from improper handling of user-controlled input in Budibase's Builder interface. The application uses Svelte's {@html} directive to render entity names in the Command Palette component without any input sanitization or output encoding. This design flaw allows authenticated attackers to embed arbitrary HTML and JavaScript within entity names that persist in the application and execute whenever the Command Palette is accessed.
The attack is particularly impactful because Builder users frequently access the Command Palette via Ctrl+K as a navigation shortcut, making exploitation highly likely once the malicious payload is planted. The vulnerability's scope extends beyond the originating user session, as the payload affects all Builder-role users within the same workspace who interact with the Command Palette.
Root Cause
The root cause is the use of Svelte's {@html} directive to render user-supplied entity names (table names, view names, query names, automation names) without implementing HTML entity encoding or Content Security Policy protections. The {@html} directive in Svelte explicitly bypasses the framework's default XSS protections, rendering raw HTML directly into the DOM. When combined with unsanitized user input, this creates a direct path for script injection.
Attack Vector
An authenticated attacker with Builder access exploits this vulnerability through the following method:
- The attacker creates a new entity (table, automation, view, or query) in Budibase
- The entity name is crafted to contain an HTML payload with embedded JavaScript, such as an <img> tag with an onerror event handler
- This malicious entity name is stored in the Budibase database
- When any Builder-role user in the same workspace opens the Command Palette (Ctrl+K), the payload renders via the {@html} directive
- The JavaScript executes in the victim's browser context, allowing cookie theft via document.cookie, session hijacking, or other malicious actions
- With the stolen session, the attacker achieves full account takeover of the victim user
The attack requires no user interaction beyond opening the Command Palette, which is a common workflow action. The payload persists until the malicious entity is deleted, allowing repeated exploitation against multiple users.
Detection Methods for CVE-2026-35218
Indicators of Compromise
- Presence of entity names (tables, views, queries, automations) containing HTML tags such as <script>, <img>, <svg>, <iframe>, or event handlers like onerror, onload, onclick
- Unexpected outbound network requests from Builder user browsers to external domains that may indicate cookie exfiltration
- Audit logs showing unusual entity creation or renaming activities with special characters or encoded payloads
Detection Strategies
- Implement Web Application Firewall (WAF) rules to detect and block XSS payloads in entity name fields
- Monitor application logs for entity names containing HTML special characters (<, >, ", ') and JavaScript event handlers
- Review database records for entity names with suspicious patterns indicative of XSS payloads
Monitoring Recommendations
- Enable detailed audit logging for all entity creation and modification events in Budibase
- Configure browser Content Security Policy (CSP) headers to restrict inline script execution and report violations
- Monitor for anomalous session activity that may indicate account compromise following XSS exploitation
How to Mitigate CVE-2026-35218
Immediate Actions Required
- Upgrade Budibase to version 3.32.5 or later immediately
- Audit existing entity names (tables, views, queries, automations) in all workspaces for potential malicious payloads
- Rotate session tokens for all Builder-role users as a precautionary measure against potential session theft
- Review access logs for suspicious activity that may indicate prior exploitation
Patch Information
The vulnerability has been patched in Budibase version 3.32.5. The fix implements proper HTML sanitization for entity names before rendering in the Command Palette. Organizations should upgrade to this version or later to remediate the vulnerability.
For technical details on the patch, refer to:
- GitHub Commit Changes
- GitHub Pull Request Discussion
- GitHub Security Advisory GHSA-gp5x-2v54-v2q5
- GitHub Release 3.32.5
Workarounds
- If immediate patching is not possible, restrict Builder access to only trusted users until the upgrade is complete
- Implement a Content Security Policy (CSP) header with script-src 'self' to mitigate the impact of injected scripts
- Periodically audit entity names in all workspaces and remove any entries containing suspicious HTML or JavaScript content
# Example: Upgrade Budibase using Docker
docker pull budibase/budibase:3.32.5
docker-compose down
docker-compose up -d
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
