A vulnerability was found in budibase up to 3.39.11 . It has been declared as critical . Affected is the function collection.find of the file packages/server/src/sdk/workspace/queries/queries.ts of the component JSON Parser . Such manipulation leads to sql injection. This vulnerability is referenced as CVE-2026-54350 . It is possible to launch the attack remotely. No exploit is available. It is recommended to upgrade the affected component.