A vulnerability, which was classified as critical , has been found in budibase up to 3.33.3 . This affects the function blacklist of the component Environment Variable Handler . The manipulation of the argument BLACKLIST_IPS leads to server-side request forgery. This vulnerability is documented as CVE-2026-31818 . The attack can be initiated remotely. There is not any exploit available. It is advisable to upgrade the affected component.