Detections
Analytics

SCA: security update for @budibase/backend-core (GHSA-wxq7-x3qp-vcr8)

medium Tenable Self-Hosted Container Security Plugin ID 443115

Description

There are packages installed that are affected by a vulnerability referenced in the following CVE:

 - Budibase is an open-source low-code platform. Prior to 3.35.4, the buildMatcherRegex() / matches()
 functions in packages/backend-core/src/middleware/matchers.ts route patterns are compiled into unanchored
 regular expressions and tested against ctx.request.url, which includes the full query string. The CSRF
 middleware in the Budibase Worker uses this matching system to decide whether to skip CSRF token
 validation. An unauthenticated attacker can forge state-changing cross-origin requests against any Worker
 API endpoint by injecting a public route pattern into the query string, causing the CSRF middleware to
 skip token validation entirely. This allows actions such as sending admin invites, modifying global
 configuration, and managing users without a valid CSRF token. This vulnerability is fixed in 3.35.4.
 (CVE-2026-48147)

Solution

Update the @budibase/backend-core library and its related packages to version 3.35.4 or later.

See Also

https://github.com/advisories/GHSA-wxq7-x3qp-vcr8

Plugin Details

Severity: Medium

ID: 443115

Version: Revision 1.1

Type: Local

Family: SCA Checks

Published: 6/12/2026

Updated: 6/12/2026

Risk Information

VPR

Risk Factor: Medium

Score: 4.4

Vendor

Vendor Severity: Medium

CVSS v2

Risk Factor: High

Base Score: 7.8

Temporal Score: 5.8

Vector: CVSS2#AV:N/AC:L/Au:N/C:N/I:C/A:N

CVSS Score Source: CVE-2026-48147

CVSS v3

Risk Factor: Medium

Base Score: 6.5

Temporal Score: 5.7

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N

Temporal Vector: CVSS:3.0/E:U/RL:O/RC:C

Vulnerability Information

Exploit Ease: No known exploits are available

Patch Publication Date: 6/12/2026

Vulnerability Publication Date: 5/27/2026

Reference Information

CVE: CVE-2026-48147