CVE-2026-25044: Budibase: Command Injection in Bash Automation Step

April 3, 2026 (updated April 9, 2026)

Location: packages/server/src/automations/steps/bash.ts

References

github.com/Budibase/budibase
github.com/Budibase/budibase/releases/tag/3.33.2
github.com/Budibase/budibase/security/advisories/GHSA-gjw9-34gf-rp6m
github.com/advisories/GHSA-gjw9-34gf-rp6m
nvd.nist.gov/vuln/detail/CVE-2026-25044

Code Behaviors & Features

Detect and mitigate CVE-2026-25044 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →