A CVSS 9.8 authentication bypass in Budibase 3.31.4 and earlier allows unauthenticated access to every API endpoint via a regex injection in the webhook middleware. CISA has confirmed active exploitation, a public reverse shell exploit is available on GitHub, and no authentication or special privilege is required to trigger the flaw.