Django REST framework

Package Instance

Lookup for vulnerable packages by Package URL.

Purlpkg:npm/%40budibase/worker@3.38.1
Typenpm
Namespace@budibase
Nameworker
Version3.38.1
Qualifiers
Subpath
Is_vulnerablefalse
Next_non_vulnerable_versionnull
Latest_non_vulnerable_versionnull
Affected_by_vulnerabilities
Fixing_vulnerabilities
0
url VCID-aem9-e5ar-1yh3
vulnerability_id VCID-aem9-e5ar-1yh3
summary Budibase is an open-source low-code platform. Prior to 3.38.1, the POST /api/global/users/onboard endpoint is protected by workspaceBuilderOrAdmin middleware, allowing any user with builder permissions to access it. When SMTP email is not configured (the default for self-hosted Budibase instances), this endpoint bypasses the admin-restricted invite flow and directly creates users via bulkCreate, accepting arbitrary admin and builder role assignments from the request body. A builder-level user can create a new global admin account and receive the generated password in the response, achieving full privilege escalation. This vulnerability is fixed in 3.38.1.
references
0
reference_url https://api.first.org/data/v1/epss?cve=CVE-2026-45716
reference_id
reference_type
scores
0
value 0.00036
scoring_system epss
scoring_elements 0.11055
published_at 2026-06-13T12:55:00Z
1
value 0.00036
scoring_system epss
scoring_elements 0.11058
published_at 2026-06-12T12:55:00Z
2
value 0.00036
scoring_system epss
scoring_elements 0.10996
published_at 2026-06-11T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2026-45716
1
reference_url https://github.com/Budibase/budibase
reference_id
reference_type
scores
0
value 8.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/Budibase/budibase
2
reference_url https://github.com/Budibase/budibase/releases/tag/3.38.1
reference_id 3.38.1
reference_type
scores
0
value 8.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-05-27T18:34:18Z/
url https://github.com/Budibase/budibase/releases/tag/3.38.1
3
reference_url https://nvd.nist.gov/vuln/detail/CVE-2026-45716
reference_id CVE-2026-45716
reference_type
scores
0
value 8.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2026-45716
4
reference_url https://github.com/advisories/GHSA-c54j-xp92-wh28
reference_id GHSA-c54j-xp92-wh28
reference_type
scores
0
value HIGH
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-c54j-xp92-wh28
5
reference_url https://github.com/Budibase/budibase/security/advisories/GHSA-c54j-xp92-wh28
reference_id GHSA-c54j-xp92-wh28
reference_type
scores
0
value 8.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
1
value HIGH
scoring_system cvssv3.1_qr
scoring_elements
2
value HIGH
scoring_system generic_textual
scoring_elements
3
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-05-27T18:34:18Z/
url https://github.com/Budibase/budibase/security/advisories/GHSA-c54j-xp92-wh28
fixed_packages
0
url pkg:npm/%40budibase/worker@3.38.1
purl pkg:npm/%40budibase/worker@3.38.1
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:npm/%2540budibase/worker@3.38.1
aliases CVE-2026-45716, GHSA-c54j-xp92-wh28
risk_score null
exploitability null
weighted_severity null
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-aem9-e5ar-1yh3
Risk_scorenull
Resource_urlhttp://public2.vulnerablecode.io/packages/pkg:npm/%2540budibase/worker@3.38.1