CPE
critical
advisory
Budibase NoSQL Operator Injection (CVE-2026-54350)
1 rule 3 TTPs 1 CVE 3 IOCsAn unauthenticated attacker can exploit CVE-2026-54350, a NoSQL operator injection vulnerability in Budibase server versions prior to 3.39.12, by injecting malicious parameters into public-facing query templates, enabling them to bypass intended query filters, read all documents including sensitive information, and modify all documents within affected collections with a single HTTP request.
PoC
Budibase server +2
nosql-injection
web-vulnerability
budibase
data-exfiltration
data-manipulation
critical-vulnerability
api-exploitation
1r
3t
1c
3i
updated
critical
advisory
Budibase Arbitrary File Read Vulnerability via PWA-zip Symlink Upload (CVE-2026-54352)
4 TTPs 1 CVE 3 IOCsA critical vulnerability, CVE-2026-54352, in Budibase server allows an authenticated workspace builder to perform arbitrary file reads on the host system by uploading a crafted PWA zip file containing a symbolic link, leading to credential compromise and privilege escalation, potentially enabling a full global administrator takeover.
Budibase server < 3.39.9 +1
arbitrary-file-read
web-vulnerability
privilege-escalation
credential-access
symlink
budibase
cloud
saas
4t
1c
3i