CVE-2026-35218
Published: 03 April 2026
Summary
CVE-2026-35218 is a high-severity Cross-site Scripting (CWE-79) vulnerability in Budibase Budibase. Its CVSS base score is 8.7 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Steal Web Session Cookie (T1539); ranked at the 10.8th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-15 (Information Output Filtering).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Filters output prior to rendering entity names in the Command Palette to block execution of injected HTML/JS payloads.
Validates and sanitizes information inputs for entity names to prevent storage of malicious HTML payloads by Builder users.
Identifies and remediates the flaw in Svelte's unsanitized {@html} rendering through timely patching as done in version 3.32.5.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Stored XSS enables arbitrary JS execution in victim's browser context, directly facilitating theft of web session cookies for account takeover as explicitly described in the CVE.
NVD Description
Budibase is an open-source low-code platform. Prior to version 3.32.5, Budibase's Builder Command Palette renders entity names (tables, views, queries, automations) using Svelte's {@html} directive without any sanitization. An authenticated user with Builder access can create a table, automation, view,…
more
or query whose name contains an HTML payload (e.g. <img src=x onerror=alert(document.domain)>). When any Builder-role user in the same workspace opens the Command Palette (Ctrl+K), the payload executes in their browser, stealing their session cookie and enabling full account takeover. This issue has been patched in version 3.32.5.
Deeper analysisAI
CVE-2026-35218 is a cross-site scripting (XSS) vulnerability (CWE-79) in Budibase, an open-source low-code platform. Prior to version 3.32.5, the Builder Command Palette renders entity names—such as tables, views, queries, and automations—using Svelte's {@html} directive without proper sanitization. This allows malicious HTML payloads embedded in entity names to be executed when rendered.
An authenticated user with Builder access in a Budibase workspace can exploit this by creating a table, automation, view, or query with an HTML payload in its name, such as <img src=x onerror=alert(document.domain)>. When any other user with Builder role in the same workspace opens the Command Palette (via Ctrl+K), the payload executes in their browser context. This can steal the victim's session cookie, leading to full account takeover. The vulnerability has a CVSS v3.1 base score of 8.7 (AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N), indicating high confidentiality and integrity impact with network accessibility but requiring low privileges and user interaction.
The issue was addressed in Budibase version 3.32.5, as detailed in the project's security advisory (GHSA-gp5x-2v54-v2q5), release notes, associated pull request (#18243), and patching commit (c9ccf0c19e5849f1bda96401aa33f97c99cd8cd6). Security practitioners should urge users to upgrade to 3.32.5 or later and review workspaces for potentially malicious entities created by Builder users.
Details
- CWE(s)