Monitor vulnerabilities like this one. Sign up free to get alerted when software you use is affected.
8.6

Budibase: Malformed Shell Commands Can Execute Malicious Commands

GHSA-726g-59wr-cj4c CVE-2026-25041 GHSA-726g-59wr-cj4c
Summary

Budibase's PostgreSQL integration in versions prior to 3.23.22 constructs shell commands using user-controlled data without proper validation, potentially allowing attackers to inject malicious commands. This affects users who rely on the PostgreSQL integration. Update to version 3.23.22 or later to mitigate this risk.

What to do
  • Update budibase server to version 3.23.32.
  • Update budibase @budibase/server to version 3.23.32.
Affected software
VendorProductAffected versionsFix available
budibase server <= 3.23.32 3.23.32
budibase @budibase/server <= 3.23.32 3.23.32
budibase budibase <= 3.23.22 –
Original title
Budibase is a low code platform for creating internal tools, workflows, and admin panels. In 3.23.22 and earlier, the PostgreSQL integration constructs shell commands using user-controlled configur...
Original description
Budibase is a low code platform for creating internal tools, workflows, and admin panels. In 3.23.22 and earlier, the PostgreSQL integration constructs shell commands using user-controlled configuration values (database name, host, password, etc.) without proper sanitization. The password and other connection parameters are directly interpolated into a shell command. This affects packages/server/src/integrations/postgres.ts.
Vulnerability type
CWE-77 Command Injection
CWE-78 OS Command Injection
Published: 9 Mar 2026 · Updated: 13 Mar 2026 · First seen: 9 Mar 2026