CVE-2026-42239
HIGHDescription
Budibase is an open-source low-code platform. Prior to version 3.35.10, the budibase:auth cookie containing the JWT session token is set with httpOnly: false at packages/backend-core/src/utils/utils.ts:218. JavaScript can read this cookie via document.cookie. This means every XSS becomes a full account takeover — the attacker steals the JWT and has persistent access to the victim's account. The cookie also lacks secure: true (sent over plaintext HTTP) and sameSite attribute. This issue has been patched in version 3.35.10.
CVSS v3.1 Score
EPSS — Exploit Prediction
EPSS estimates the probability that this vulnerability will be exploited in the wild within the next 30 days. A higher score means more likely to be exploited.
Weakness Type (CWE)
References
Frequently Asked Questions
What is CVE-2026-42239? +
How severe is CVE-2026-42239? +
How do I check if I'm vulnerable to CVE-2026-42239? +
Related Vulnerabilities
This vulnerability exists in the CP Plus Router due to insecure handling of cookie flags used within its web interface. …
This vulnerability exists in Digisol DG-GR6821AC Router due to misconfiguration of both Secure and HttpOnly flags on session cookies associated …
An issue was discovered in Znuny through 7.1.3. A cookie is set without the HttpOnly flag.
TRUfusion Enterprise through 7.10.4.0 exposes the encrypted COOKIEID as an authentication mechanism for some endpoints such as /trufusionPortal/getProjectList. However, the …
This vulnerability exists in SyroTech SY-GPON-1110-WDONT Router due to missing HTTPOnly flag for the session cookies associated with the router's …
A stored cross-site scripting (XSS) vulnerability exists in the MyCourts v3 application within the LTA number profile field. An attacker …