CVE-2026-48149 Budibase CVE debrief

Who should care

Organizations running Budibase self-hosted or cloud instances with multi-user applications utilizing Text components in Markdown mode. Security teams responsible for low-code/no-code platform governance. Application developers building Budibase apps with user-generated content displayed through markdown-enabled Text components.

Technical summary

The Budibase Text component in Markdown mode uses the marked library to parse markdown content but assigns the parsed output directly to innerHTML without HTML sanitization. This creates a stored XSS sink where any BASIC application user with WRITE permissions on the underlying table can inject malicious JavaScript payloads. The vulnerability is located in packages/bbui/src/Markdown/MarkdownViewer.svelte at line 22. Successful exploitation allows persistent script execution in the context of other users viewing the affected components.

Defensive priority

HIGH

Recommended defensive actions

• Upgrade Budibase to version 3.39.0 or later to remediate the stored XSS vulnerability in the Text component markdown rendering.
• Review application configurations to identify all Text components operating in Markdown mode and audit bound data sources for unauthorized modifications.
• Implement Content Security Policy (CSP) headers as a defense-in-depth measure to mitigate impact of any residual or similar XSS vectors.
• Validate that markdown content processing in custom components or forks does not replicate the vulnerable pattern of direct innerHTML assignment without sanitization.

Evidence notes

Vulnerability confirmed through GitHub Security Advisory GHSA-57p7-9h9w-xqpw. The advisory identifies the specific code location at packages/bbui/src/Markdown/MarkdownViewer.svelte:22 where marked.parse() output is assigned to innerHTML without sanitization. CWE-79 (Improper Neutralization of Input During Web Page Generation) is the assigned weakness. Fix version 3.39.0 is confirmed in advisory.

Official resources