QwikSec

Security Database

CVE

CWE

Training

CVE-2026-25041

Published: Mar 9, 2026

Modified: Mar 9, 2026

PUBLISHED

Description

Budibase is a low code platform for creating internal tools, workflows, and admin panels. In 3.23.22 and earlier, the PostgreSQL integration constructs shell commands using user-controlled configuration values (database name, host, password, etc.) without proper sanitization. The password and other connection parameters are directly interpolated into a shell command. This affects packages/server/src/integrations/postgres.ts.

Vendor	Product	Versions
Budibase	budibase	affected `<= 3.23.22`

Weaknesses (CWE)

References

https://github.com/Budibase/budibase/security/advisories/GHSA-726g-59wr-cj4c

x_refsource_CONFIRM

https://github.com/Budibase/budibase/commit/9fdbff32fb9e69650ba899a799e13f80d9b09e93

x_refsource_MISC

https://github.com/Budibase/budibase/blob/f34d545602a7c94427bae63312a5ee9bf2aa6c85/packages/server/src/integrations/postgres.ts#L529-L531

x_refsource_MISC

Security Training

Train your team to recognize and prevent security threats with our comprehensive security awareness program.

Vulnerability Scanning

Discover vulnerabilities in your applications and infrastructure before attackers do.