[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"repo-stars":3,"vuln-CVE-2026-41428":6},{"stargazers_count":4,"fetched_at":5},5,"2026-04-25T12:20:59.409Z",{"id":7,"descriptions":8,"cisa":9,"weaknesses":10,"exploits":60,"aliases":61,"duplicate_of":9,"upstream":62,"downstream":63,"duplicates":64,"related":65,"reserved_at":9,"published_at":66,"modified_at":67,"state":68,"summary":69,"references_raw":76,"kevs":83,"epss":9,"epss_history":84,"metrics":85,"affected":93},"CVE-2026-41428","Budibase is an open-source low-code platform. Prior to 3.35.4, the authenticated middleware uses unanchored regular expressions to match public (no-auth) endpoint patterns against ctx.request.url. Since ctx.request.url in Koa includes the query string, an attacker can access any protected endpoint by appending a public endpoint path as a query parameter. For example, POST /api/global/users/search?x=/api/system/status bypasses all authentication because the regex /api/system/status/ matches in the query string portion of the URL. This vulnerability is fixed in 3.35.4.",null,[11],{"_key":12,"id":12,"name":13,"description":14,"type":15,"status":16,"abstraction":17,"likelihood_of_exploit":18,"capec":19},"CWE-287","Improper Authentication","When an actor claims to have a given identity, the product does not prove or insufficiently proves that the claim is correct.","weakness","Draft","Class","High",[20,24,28,32,36,40,44,48,52,56],{"id":21,"name":22,"techniques":23},"CAPEC-114","Authentication Abuse",[],{"id":25,"name":26,"techniques":27},"CAPEC-115","Authentication Bypass",[],{"id":29,"name":30,"techniques":31},"CAPEC-151","Identity Spoofing",[],{"id":33,"name":34,"techniques":35},"CAPEC-194","Fake the Source of Data",[],{"id":37,"name":38,"techniques":39},"CAPEC-22","Exploiting Trust in Client",[],{"id":41,"name":42,"techniques":43},"CAPEC-57","Utilizing REST's Trust in the System Resource to Obtain Sensitive Data",[],{"id":45,"name":46,"techniques":47},"CAPEC-593","Session Hijacking",[],{"id":49,"name":50,"techniques":51},"CAPEC-633","Token Impersonation",[],{"id":53,"name":54,"techniques":55},"CAPEC-650","Upload a Web Shell to a Web Server",[],{"id":57,"name":58,"techniques":59},"CAPEC-94","Adversary in the Middle (AiTM)",[],[],[],[],[],[],[],"2026-04-24T19:17:29.501Z","2026-04-24T20:00:50.097Z","Received",{"cisa_kev":70,"cisa_ransomware":70,"cisa_vendor":9,"epss_severity":9,"epss_score":9,"severity":71,"severity_score":72,"severity_version":73,"severity_source":74,"severity_vector":75,"severity_status":68},false,"critical",9.1,"v3.1","cve.org","CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H",[77],{"url":78,"sources":79,"tags":81},"https://github.com/Budibase/budibase/security/advisories/GHSA-8783-3wgf-jggf",[74,80],"nvd",[82],"X Refsource CONFIRM",[],[],[86,91],{"source":74,"cvss_v2_0":9,"cvss_v3_0":9,"cvss_v3_1":87,"cvss_v4_0":9},{"baseScore":72,"baseSeverity":88,"vectorString":75,"impactScore":89,"exploitabilityScore":90},"CRITICAL",8.7,10,{"source":80,"cvss_v2_0":9,"cvss_v3_0":9,"cvss_v3_1":92,"cvss_v4_0":9},{"baseScore":72,"baseSeverity":88,"vectorString":75,"impactScore":89,"exploitabilityScore":90},[94],{"ecosystem":9,"name":95,"vendor":95,"product":95,"cpe_part":96,"purl_type":9,"purl_namespace":9,"purl_name":9,"source":9,"versions":97},"budibase","a",[98],{"version":99,"is_range":100,"range_type":74,"version_start":9,"version_start_type":9,"version_end":101,"version_end_type":102,"fixed_in":9},"\u003C 3.35.4",true,"3.35.4","excluding"]