GHSA-cv96-5348-p5p8: Budibase: Unvalidated VectorDB Host Parameter Enables SSRF

Budibase's VectorDB configuration endpoint accepts a host parameter with no validation, allowing any authenticated builder-level user to make the server connect to internal IP addresses or cloud metadata endpoints (like AWS's 169.254.169.254). This is an SSRF vulnerability (server-side request forgery, where a server is tricked into making requests to unintended destinations), enabling attackers to scan internal networks, discover running services, and potentially steal cloud credentials.