{"resultsPerPage":1,"startIndex":0,"totalResults":1,"format":"NVD_CVE","version":"2.0","timestamp":"2026-06-23T22:07:14.280","vulnerabilities":[{"cve":{"id":"CVE-2026-27702","sourceIdentifier":"security-advisories@github.com","published":"2026-02-25T16:23:26.777","lastModified":"2026-06-17T10:27:32.633","vulnStatus":"Analyzed","cveTags":[],"descriptions":[{"lang":"en","value":"Budibase is a low code platform for creating internal tools, workflows, and admin panels. Prior to version 3.30.4, an unsafe `eval()` vulnerability in Budibase's view filtering implementation allows any authenticated user (including free tier accounts) to execute arbitrary JavaScript code on the server. This vulnerability ONLY affects Budibase Cloud (SaaS) - self-hosted deployments use native CouchDB views and are not vulnerable. The vulnerability exists in `packages/server/src/db/inMemoryView.ts` where user-controlled view map functions are directly evaluated without sanitization. The primary impact comes from what lives inside the pod's environment: the `app-service` pod runs with secrets baked into its environment variables, including `INTERNAL_API_KEY`, `JWT_SECRET`, CouchDB admin credentials, AWS keys, and more. Using the extracted CouchDB credentials, we verified direct database access, enumerated all tenant databases, and confirmed that user records (email addresses) are readable. Version 3.30.4 contains a patch."},{"lang":"es","value":"Budibase es una plataforma de bajo código para crear herramientas internas, flujos de trabajo y paneles de administración. Antes de la versión 3.30.4, una `vulnerabilidad` `eval()` insegura en la implementación de filtrado de vistas de Budibase permite a cualquier usuario autenticado (incluidas las cuentas de nivel gratuito) ejecutar código JavaScript arbitrario en el `servidor`. Esta `vulnerabilidad` SOLO afecta a Budibase Cloud (SaaS) - las implementaciones autoalojadas usan vistas nativas de CouchDB y no son `vulnerables`. La `vulnerabilidad` existe en `packages/server/src/db/inMemoryView.ts` donde las funciones de mapeo de vistas controladas por el usuario se evalúan directamente sin sanitización. El `impacto` principal proviene de lo que reside dentro del entorno del pod: el pod `app-service` se ejecuta con secretos incorporados en sus variables de entorno, incluyendo `INTERNAL_API_KEY`, `JWT_SECRET`, credenciales de administrador de CouchDB, claves de AWS y más. Usando las credenciales de CouchDB extraídas, verificamos el acceso directo a la `base de datos`, enumeramos todas las `bases de datos` de inquilinos, y confirmamos que los registros de usuario (direcciones de correo electrónico) son legibles. La versión 3.30.4 contiene un `parche`."}],"affected":[{"source":"security-advisories@github.com","affectedData":[{"vendor":"Budibase","product":"budibase","versions":[{"version":"< 3.30.4","status":"affected"}]}]}],"metrics":{"cvssMetricV31":[{"source":"security-advisories@github.com","type":"Secondary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:L","baseScore":9.9,"baseSeverity":"CRITICAL","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"LOW","userInteraction":"NONE","scope":"CHANGED","confidentialityImpact":"HIGH","integrityImpact":"HIGH","availabilityImpact":"LOW"},"exploitabilityScore":3.1,"impactScore":6.0},{"source":"nvd@nist.gov","type":"Primary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H","baseScore":9.0,"baseSeverity":"CRITICAL","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"LOW","userInteraction":"REQUIRED","scope":"CHANGED","confidentialityImpact":"HIGH","integrityImpact":"HIGH","availabilityImpact":"HIGH"},"exploitabilityScore":2.3,"impactScore":6.0}],"ssvcV203":[{"source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","ssvcData":{"timestamp":"2026-02-25T20:43:20.935389Z","id":"CVE-2026-27702","options":[{"exploitation":"poc"},{"automatable":"no"},{"technicalImpact":"total"}],"role":"CISA Coordinator","version":"2.0.3"}}]},"weaknesses":[{"source":"security-advisories@github.com","type":"Secondary","description":[{"lang":"en","value":"CWE-20"},{"lang":"en","value":"CWE-94"},{"lang":"en","value":"CWE-95"}]},{"source":"nvd@nist.gov","type":"Primary","description":[{"lang":"en","value":"CWE-94"}]}],"configurations":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:a:budibase:budibase:*:*:*:*:*:*:*:*","versionEndExcluding":"3.30.4","matchCriteriaId":"6366022F-080A-40DB-B1E9-CD5811BED55D"}]}]}],"references":[{"url":"https://github.com/Budibase/budibase/commit/348659810cf930dda5f669e782706594c547115d","source":"security-advisories@github.com","tags":["Patch"]},{"url":"https://github.com/Budibase/budibase/pull/18087","source":"security-advisories@github.com","tags":["Issue Tracking"]},{"url":"https://github.com/Budibase/budibase/releases/tag/3.30.4","source":"security-advisories@github.com","tags":["Release Notes"]},{"url":"https://github.com/Budibase/budibase/security/advisories/GHSA-rvhr-26g4-p2r8","source":"security-advisories@github.com","tags":["Exploit","Vendor Advisory"]}]}}]}