Product
critical
advisory
Budibase NoSQL Operator Injection (CVE-2026-54350)
1 rule 3 TTPs 1 CVE 3 IOCsAn unauthenticated attacker can exploit CVE-2026-54350, a NoSQL operator injection vulnerability in Budibase server versions prior to 3.39.12, by injecting malicious parameters into public-facing query templates, enabling them to bypass intended query filters, read all documents including sensitive information, and modify all documents within affected collections with a single HTTP request.
PoC
Budibase server +2
nosql-injection
web-vulnerability
budibase
data-exfiltration
data-manipulation
critical-vulnerability
api-exploitation
1r
3t
1c
3i
updated