Budibase SQL Injection in PostgreSQL, MSSQL, MySQL Connectors

Three SQL injection vulnerabilities were discovered in Budibase's database connectors for PostgreSQL, Microsoft SQL Server, and MySQL. User-controlled schema and table names are interpolated into raw SQL queries without proper escaping, allowing authenticated administrators to execute arbitrary SQL commands, potentially leading to full database compromise and OS command execution.

All Budibase instances using PostgreSQL, Microsoft SQL Server, or MySQL datasources with an authenticated administrator who can modify datasource configurations.

Update Budibase to the latest patched version immediately. If not available, restrict access to datasource configuration to trusted administrators only and consider disabling the affected connectors temporarily.