CVE-2026-25041
Published: 09 March 2026
Summary
CVE-2026-25041 is a high-severity OS Command Injection (CWE-78) vulnerability in Budibase Budibase. Its CVSS base score is 7.2 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 23.2th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
Threat & Defense at a Glance
Threat & Defense Details
Likely Mitigating ControlsAI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Command injection (CWE-78) in Budibase Postgres integration directly allows arbitrary Unix shell command execution via unsanitized config interpolation; maps to T1190 for remote exploitation of the public-facing app and T1059.004 for resulting shell access.
NVD Description
Budibase is a low code platform for creating internal tools, workflows, and admin panels. In 3.23.22 and earlier, the PostgreSQL integration constructs shell commands using user-controlled configuration values (database name, host, password, etc.) without proper sanitization. The password and other…
more
connection parameters are directly interpolated into a shell command. This affects packages/server/src/integrations/postgres.ts.
Deeper analysisAI
CVE-2026-25041 is a command injection vulnerability (CWE-78) affecting Budibase, a low-code platform for creating internal tools, workflows, and admin panels. The issue exists in versions 3.23.22 and earlier, specifically within the PostgreSQL integration located at packages/server/src/integrations/postgres.ts. User-controlled configuration values, including database name, host, password, and other connection parameters, are directly interpolated into shell commands without proper sanitization, enabling arbitrary command execution.
The vulnerability carries a CVSS v3.1 base score of 7.2 (AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H). Exploitation requires high privileges (PR:H) and can be performed over the network (AV:N) with low attack complexity (AC:L) and no user interaction (UI:N). Successful attacks enable high-impact compromise of confidentiality, integrity, and availability (C:H/I:H/A:H) within the unchanged scope (S:U), potentially allowing privileged users to execute arbitrary shell commands on the server.
Budibase has addressed the vulnerability via commit 9fdbff32fb9e69650ba899a799e13f80d9b09e93, with full details provided in the GitHub security advisory GHSA-726g-59wr-cj4c. The vulnerable code snippet appears at lines 529-531 in the file at https://github.com/Budibase/budibase/blob/f34d545602a7c94427bae63312a5ee9bf2aa6c85/packages/server/src/integrations/postgres.ts. Security practitioners should upgrade to a patched version and review PostgreSQL integration configurations for sensitive deployments.
Details
- CWE(s)