Django REST framework

Package Instance

Lookup for vulnerable packages by Package URL.

Purlpkg:npm/%40budibase/backend-core@1.0.135
Typenpm
Namespace@budibase
Namebackend-core
Version1.0.135
Qualifiers
Subpath
Is_vulnerabletrue
Next_non_vulnerable_version3.35.10
Latest_non_vulnerable_version3.38.2
Affected_by_vulnerabilities
0
url VCID-26sa-d3pj-qugz
vulnerability_id VCID-26sa-d3pj-qugz
summary Budibase is an open-source low-code platform. Prior to version 3.35.10, the budibase:auth cookie containing the JWT session token is set with httpOnly: false at packages/backend-core/src/utils/utils.ts:218. JavaScript can read this cookie via document.cookie. This means every XSS becomes a full account takeover — the attacker steals the JWT and has persistent access to the victim's account. The cookie also lacks secure: true (sent over plaintext HTTP) and sameSite attribute. This issue has been patched in version 3.35.10.
references
0
reference_url https://api.first.org/data/v1/epss?cve=CVE-2026-42239
reference_id
reference_type
scores
0
value 0.0004
scoring_system epss
scoring_elements 0.12307
published_at 2026-06-11T12:55:00Z
1
value 0.0004
scoring_system epss
scoring_elements 0.12405
published_at 2026-06-13T12:55:00Z
2
value 0.0004
scoring_system epss
scoring_elements 0.12397
published_at 2026-06-12T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2026-42239
1
reference_url https://github.com/Budibase/budibase
reference_id
reference_type
scores
0
value 8.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:H/I:H/A:N
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/Budibase/budibase
2
reference_url https://nvd.nist.gov/vuln/detail/CVE-2026-42239
reference_id
reference_type
scores
0
value 8.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:H/I:H/A:N
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2026-42239
3
reference_url https://github.com/Budibase/budibase/releases/tag/3.35.10
reference_id 3.35.10
reference_type
scores
0
value 8.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:H/I:H/A:N
1
value HIGH
scoring_system generic_textual
scoring_elements
2
value Track*
scoring_system ssvc
scoring_elements SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2026-05-07T19:39:21Z/
url https://github.com/Budibase/budibase/releases/tag/3.35.10
4
reference_url https://github.com/advisories/GHSA-4f9j-vr4p-642r
reference_id GHSA-4f9j-vr4p-642r
reference_type
scores
0
value HIGH
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-4f9j-vr4p-642r
5
reference_url https://github.com/Budibase/budibase/security/advisories/GHSA-4f9j-vr4p-642r
reference_id GHSA-4f9j-vr4p-642r
reference_type
scores
0
value 8.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:H/I:H/A:N
1
value HIGH
scoring_system cvssv3.1_qr
scoring_elements
2
value HIGH
scoring_system generic_textual
scoring_elements
3
value Track*
scoring_system ssvc
scoring_elements SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2026-05-07T19:39:21Z/
url https://github.com/Budibase/budibase/security/advisories/GHSA-4f9j-vr4p-642r
fixed_packages
0
url pkg:npm/%40budibase/backend-core@3.35.10
purl pkg:npm/%40budibase/backend-core@3.35.10
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:npm/%2540budibase/backend-core@3.35.10
aliases CVE-2026-42239, GHSA-4f9j-vr4p-642r
risk_score 4.0
exploitability 0.5
weighted_severity 8.0
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-26sa-d3pj-qugz
1
url VCID-pqcu-pgng-9qhh
vulnerability_id VCID-pqcu-pgng-9qhh
summary Budibase is an open-source low-code platform. Prior to version 3.33.4, a server-side request forgery (SSRF) vulnerability exists in Budibase's REST datasource connector. The platform's SSRF protection mechanism (IP blacklist) is rendered completely ineffective because the BLACKLIST_IPS environment variable is not set by default in any of the official deployment configurations. When this variable is empty, the blacklist function unconditionally returns false, allowing all requests through without restriction. This issue has been patched in version 3.33.4.
references
0
reference_url https://api.first.org/data/v1/epss?cve=CVE-2026-31818
reference_id
reference_type
scores
0
value 0.00016
scoring_system epss
scoring_elements 0.0375
published_at 2026-06-13T12:55:00Z
1
value 0.00016
scoring_system epss
scoring_elements 0.03741
published_at 2026-06-11T12:55:00Z
2
value 0.00016
scoring_system epss
scoring_elements 0.0376
published_at 2026-06-12T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2026-31818
1
reference_url https://github.com/Budibase/budibase
reference_id
reference_type
scores
0
value 9.6
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:N
1
value CRITICAL
scoring_system generic_textual
scoring_elements
url https://github.com/Budibase/budibase
2
reference_url https://nvd.nist.gov/vuln/detail/CVE-2026-31818
reference_id
reference_type
scores
0
value 9.6
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:N
1
value CRITICAL
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2026-31818
3
reference_url https://github.com/Budibase/budibase/pull/18236
reference_id 18236
reference_type
scores
0
value 9.6
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:N
1
value CRITICAL
scoring_system generic_textual
scoring_elements
2
value Track*
scoring_system ssvc
scoring_elements SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2026-04-03T20:04:22Z/
url https://github.com/Budibase/budibase/pull/18236
4
reference_url https://github.com/Budibase/budibase/releases/tag/3.33.4
reference_id 3.33.4
reference_type
scores
0
value 9.6
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:N
1
value CRITICAL
scoring_system generic_textual
scoring_elements
2
value Track*
scoring_system ssvc
scoring_elements SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2026-04-03T20:04:22Z/
url https://github.com/Budibase/budibase/releases/tag/3.33.4
5
reference_url https://github.com/Budibase/budibase/commit/5b0fe83d4ece52696b62589cba89ef50cc009732
reference_id 5b0fe83d4ece52696b62589cba89ef50cc009732
reference_type
scores
0
value 9.6
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:N
1
value CRITICAL
scoring_system generic_textual
scoring_elements
2
value Track*
scoring_system ssvc
scoring_elements SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2026-04-03T20:04:22Z/
url https://github.com/Budibase/budibase/commit/5b0fe83d4ece52696b62589cba89ef50cc009732
6
reference_url https://github.com/advisories/GHSA-7r9j-r86q-7g45
reference_id GHSA-7r9j-r86q-7g45
reference_type
scores
0
value CRITICAL
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-7r9j-r86q-7g45
7
reference_url https://github.com/Budibase/budibase/security/advisories/GHSA-7r9j-r86q-7g45
reference_id GHSA-7r9j-r86q-7g45
reference_type
scores
0
value 9.6
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:N
1
value CRITICAL
scoring_system cvssv3.1_qr
scoring_elements
2
value CRITICAL
scoring_system generic_textual
scoring_elements
3
value Track*
scoring_system ssvc
scoring_elements SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2026-04-03T20:04:22Z/
url https://github.com/Budibase/budibase/security/advisories/GHSA-7r9j-r86q-7g45
fixed_packages
0
url pkg:npm/%40budibase/backend-core@3.33.4
purl pkg:npm/%40budibase/backend-core@3.33.4
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-26sa-d3pj-qugz
1
vulnerability VCID-t9dz-y65b-yubn
resource_url http://public2.vulnerablecode.io/packages/pkg:npm/%2540budibase/backend-core@3.33.4
aliases CVE-2026-31818, GHSA-7r9j-r86q-7g45
risk_score 4.5
exploitability 0.5
weighted_severity 9.0
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-pqcu-pgng-9qhh
2
url VCID-t9dz-y65b-yubn
vulnerability_id VCID-t9dz-y65b-yubn
summary Budibase is an open-source low-code platform. Prior to 3.35.4, the authenticated middleware uses unanchored regular expressions to match public (no-auth) endpoint patterns against ctx.request.url. Since ctx.request.url in Koa includes the query string, an attacker can access any protected endpoint by appending a public endpoint path as a query parameter. For example, POST /api/global/users/search?x=/api/system/status bypasses all authentication because the regex /api/system/status/ matches in the query string portion of the URL. This vulnerability is fixed in 3.35.4.
references
0
reference_url https://api.first.org/data/v1/epss?cve=CVE-2026-41428
reference_id
reference_type
scores
0
value 0.00104
scoring_system epss
scoring_elements 0.2804
published_at 2026-06-13T12:55:00Z
1
value 0.00104
scoring_system epss
scoring_elements 0.27815
published_at 2026-06-11T12:55:00Z
2
value 0.00104
scoring_system epss
scoring_elements 0.28013
published_at 2026-06-12T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2026-41428
1
reference_url https://github.com/Budibase/budibase
reference_id
reference_type
scores
0
value 9.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H
1
value CRITICAL
scoring_system generic_textual
scoring_elements
url https://github.com/Budibase/budibase
2
reference_url https://nvd.nist.gov/vuln/detail/CVE-2026-41428
reference_id
reference_type
scores
0
value 9.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H
1
value CRITICAL
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2026-41428
3
reference_url https://github.com/advisories/GHSA-8783-3wgf-jggf
reference_id GHSA-8783-3wgf-jggf
reference_type
scores
0
value CRITICAL
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-8783-3wgf-jggf
4
reference_url https://github.com/Budibase/budibase/security/advisories/GHSA-8783-3wgf-jggf
reference_id GHSA-8783-3wgf-jggf
reference_type
scores
0
value 9.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H
1
value CRITICAL
scoring_system cvssv3.1_qr
scoring_elements
2
value CRITICAL
scoring_system generic_textual
scoring_elements
3
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2026-04-24T20:00:28Z/
url https://github.com/Budibase/budibase/security/advisories/GHSA-8783-3wgf-jggf
fixed_packages
aliases CVE-2026-41428, GHSA-8783-3wgf-jggf
risk_score 4.5
exploitability 0.5
weighted_severity 9.0
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-t9dz-y65b-yubn
Fixing_vulnerabilities
Risk_score4.5
Resource_urlhttp://public2.vulnerablecode.io/packages/pkg:npm/%2540budibase/backend-core@1.0.135