Description
Budibase is a low code platform for creating internal tools, workflows, and admin panels. In 3.24.0 and earlier, an arbitrary file upload vulnerability exists even though file extension restrictions are configured. The restriction is enforced only at the UI level. An attacker can bypass these restrictions and upload malicious files.
References (1)
Core 1
Core References
Vendor Advisory x_refsource_confirm
https://github.com/Budibase/budibase/security/advisories/GHSA-2hfr-343j-863r
Scores
CVSS v3
8.9
EPSS
0.0026
EPSS Percentile
17.6%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:L
CISA SSVC
Vulnrichment
Exploitation
poc
Automatable
no
Technical Impact
total
Details
CWE
CWE-918
CWE-602
CWE-79
Status
published
Products (1)
budibase/budibase
< 3.24.0
Published
Mar 09, 2026
Tracked Since
Mar 10, 2026