Seerr is an open-source media request and discovery manager for Jellyfin, Plex, and Emby
Description
Seerr is an open-source media request and discovery manager for Jellyfin, Plex, and Emby
Remediation
Apply vendor security updates immediately. Monitor for exploitation attempts and review access logs.
---METADATA---
VENDOR: Budibase
PRODUCT: Budibase Cloud (SaaS)
AFFECTED_VERSIONS: Prior to version 3.30.4
---END_METADATA---
Description Summary:
Budibase Cloud suffers from an unsafe eval() vulnerability in its view filtering, allowing authenticated users to execute arbitrary JavaScript and access sensitive environment secrets.
Executive Summary:
An authenticated remote code execution vulnerability in Budibase Cloud allows users to compromise the server environment and extract highly sensitive administrative credentials.
Vulnerability Details
CVE-ID: CVE-2026-27702
Affected Software: Budibase Budibase Cloud (SaaS)
Affected Versions: Prior to version 3.30.4
Vulnerability: This flaw involves an unsafe
eval()call within theinMemoryView.tscomponent where user-controlled input is processed without sanitization. Any authenticated user, including those on free tier accounts, can trigger this to execute arbitrary code with the privileges of the application service.Business Impact
A successful exploit grants an attacker access to the pod's environment variables, which include critical secrets such as
INTERNAL_API_KEY,JWT_SECRET, and AWS keys. This leads to total database compromise, the ability to enumerate all tenant databases, and unauthorized access to sensitive user records and email addresses. With a CVSS score of 9.9, this represents a critical risk to data confidentiality and platform integrity.Remediation Plan
Immediate Action: Budibase Cloud users must ensure they are using version 3.30.4 or later; as this is a SaaS product, confirm with the vendor that the patch is applied.
Proactive Monitoring: Security teams should review access logs for unusual view filtering activity and rotate any credentials or API keys that may have been exposed in the environment.
Compensating Controls: Implement strict egress filtering on the application environment to prevent the exfiltration of environment variables to external attacker-controlled servers.
Exploitation Status
Public Exploit Available: false
Analyst Notes: As of Feb 25, 2026, there is no public information indicating active exploitation of this vulnerability. However, due to the nature of the flaw and the sensitivity of the exposed secrets, the potential for exploitation is extremely high.
Analyst Recommendation
The severity of this RCE vulnerability cannot be overstated, as it exposes the foundational secrets of the Budibase Cloud infrastructure. Organizations must verify that their instances are running the patched version and immediately rotate all administrative secrets to mitigate the risk of persistent access by a malicious actor.