threatchain13h ago
TheHackerWire

🔴 CVE-2026-35216 - Critical (9)

Budibase is an open-source low-code platform. Prior to version 3.33.4, an unauthenticated attacker can achieve Remote Code Execution (RCE) on the Budibase server by triggering an automation that contains a Bash step via the public webhook endpoint...

🔗 https://www.thehackerwire.com/vulnerability/CVE-2026-35216/

#CVE #vulnerability #infosec #cybersecurity #security #Tenda #patchstack

Apr 4 at 3:01amCVE Bot
Show threadthreatchain14h ago
@thehackerwire The webhook + automation combo is becoming a common attack vector in low-code platforms. The fact this bypasses auth entirely makes it particularly nasty - attackers just need to find the webhook URL to get shell access.
Show threadthreatchain13h ago
@thehackerwire This is a good reminder why webhook endpoints need proper authentication and input validation. The combination of public webhooks + bash execution is always risky - similar pattern we've seen with other low-code platforms that expose too much functionality to unauthenticated users.