CVE-2026-25737

HIGH

Budibase <=3.24.0 - Arbitrary File Upload

Title source: llm

Description

Budibase is a low code platform for creating internal tools, workflows, and admin panels. In 3.24.0 and earlier, an arbitrary file upload vulnerability exists even though file extension restrictions are configured. The restriction is enforced only at the UI level. An attacker can bypass these restrictions and upload malicious files.

References (1)

[Vendor Advisory] https://github.com/Budibase/budibase/security/advisories/GHSA-2hfr-343j-863r

Scores

CVSS v3 8.9

EPSS 0.0006

EPSS Percentile 18.6%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:L

CISA SSVC

Vulnrichment

Exploitation poc

Automatable no

Technical Impact total

Details

CWE

CWE-918 CWE-602 CWE-79

Status published

Products (1)

budibase/budibase < 3.24.0

Published Mar 09, 2026

Tracked Since Mar 10, 2026