HIGH🇵🇱 Wersja polska

CVE-2026-42239

CVSS 8.1v3.1pub. 2026-05-07upd. 2026-06-04

Budibase is an open-source low-code platform. Prior to version 3.35.10, the budibase:auth cookie containing the JWT session token is set with httpOnly: false at packages/backend-core/src/utils/utils.ts:218. JavaScript can read this cookie via document.cookie. This means every XSS becomes a full account takeover — the attacker steals the JWT and has persistent access to the victim's account. The cookie also lacks secure: true (sent over plaintext HTTP) and sameSite attribute. This issue has been patched in version 3.35.10.

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:H/I:H/A:N
  • Budibase

    APP
    Budibase
    < 3.35.10
🔵
CHECK WITH VENDOR
No clear patch data available. Check vendor references.
Tags
XSS
CWE
References

Related vulnerabilities

CVE-2026-54350CRITICAL10.0PL ✓ten sam produkt

SQL/NoSQL Injection w Budibase — nieautoryzowany odczyt i zapis danych

CVE-2026-54352CRITICAL9.6PL ✓ten sam produkt

Budibase: path traversal przez symlink w endpoint przetwarzania ZIP

CVE-2026-41428CRITICAL9.1PL ✓ten sam produkt

Budibase: pominięcie uwierzytelnienia przez manipulację query string

CVE-2026-31818CRITICAL9.6PL ✓ten sam produkt

SSRF w Budibase — nieaktywna ochrona blacklisty IP umożliwia dowolne żądania

CVE-2026-35216CRITICAL9.0PL ✓ten sam produkt

Budibase: nieuwierzytelniony RCE przez publiczny webhook i krok Bash