{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/tags/cve-2026-35218/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[{"cvss":8.7,"id":"CVE-2026-35218"}],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["high"],"_cs_tags":["budibase","xss","cve-2026-35218","web-application"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eBudibase, an open-source low-code platform, is vulnerable to a stored cross-site scripting (XSS) attack. Prior to version 3.32.5, the Builder Command Palette renders entity names (tables, views, queries, automations) unsanitized, using Svelte\u0026rsquo;s {@html} directive. This allows an attacker with Builder access to inject arbitrary HTML into the names of database tables, views, queries, or automations. When a Builder-role user in the same workspace opens the Command Palette (Ctrl+K), the injected HTML payload is executed within their browser context. This execution can be leveraged to steal session cookies, leading to full account takeover. The vulnerability, identified as CVE-2026-35218, was patched in Budibase version 3.32.5. Defenders should prioritize upgrading to the patched version.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker authenticates to a Budibase instance with Builder access.\u003c/li\u003e\n\u003cli\u003eThe attacker creates or modifies a database table.\u003c/li\u003e\n\u003cli\u003eThe attacker injects a malicious HTML payload (e.g., \u003ccode\u003e\u0026lt;img src=x onerror=alert(document.domain)\u0026gt;\u003c/code\u003e) into the table name via the Budibase Builder interface.\u003c/li\u003e\n\u003cli\u003eThe attacker saves the modified table.\u003c/li\u003e\n\u003cli\u003eAnother authenticated user with Builder access in the same workspace opens the Command Palette (Ctrl+K).\u003c/li\u003e\n\u003cli\u003eThe Command Palette renders the table name containing the malicious HTML.\u003c/li\u003e\n\u003cli\u003eThe user\u0026rsquo;s browser executes the injected HTML, triggering the onerror event and executing JavaScript.\u003c/li\u003e\n\u003cli\u003eThe JavaScript steals the user\u0026rsquo;s session cookie and sends it to an attacker-controlled server.\u003c/li\u003e\n\u003cli\u003eThe attacker uses the stolen session cookie to impersonate the victim user and gain full account access.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this vulnerability can lead to the theft of sensitive user session cookies, allowing an attacker to impersonate legitimate users with Builder access. This can result in unauthorized modification of Budibase applications, exfiltration of sensitive data stored within Budibase, and further compromise of systems integrated with Budibase. The severity is high due to the ease of exploitation for authenticated users and the potential for complete account takeover.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade Budibase to version 3.32.5 or later to remediate CVE-2026-35218.\u003c/li\u003e\n\u003cli\u003eImplement the Sigma rule \u003ccode\u003eBudibase_Suspicious_Command_Palette_HTML\u003c/code\u003e to detect potential exploitation attempts by monitoring HTTP activity related to the Command Palette.\u003c/li\u003e\n\u003cli\u003eEnable webserver logging to collect the data required by the Sigma rule \u003ccode\u003eBudibase_Suspicious_Command_Palette_HTML\u003c/code\u003e.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-03T16:16:41Z","date_published":"2026-04-03T16:16:41Z","id":"/briefs/2026-04-budibase-xss/","summary":"A stored cross-site scripting (XSS) vulnerability in Budibase versions prior to 3.32.5 allows authenticated users with Builder access to inject malicious HTML payloads into entity names, leading to potential session cookie theft and account takeover when other Builder users open the Command Palette.","title":"Budibase Stored Cross-Site Scripting Vulnerability (CVE-2026-35218)","url":"https://feed.craftedsignal.io/briefs/2026-04-budibase-xss/"}],"language":"en","title":"CraftedSignal Threat Feed — Cve-2026-35218","version":"https://jsonfeed.org/version/1.1"}