CVE-2026-25737

HIGH

Budibase <=3.24.0 - Arbitrary File Upload

Title source: llm

Description

Budibase is a low code platform for creating internal tools, workflows, and admin panels. In 3.24.0 and earlier, an arbitrary file upload vulnerability exists even though file extension restrictions are configured. The restriction is enforced only at the UI level. An attacker can bypass these restrictions and upload malicious files.

References (1)

[Vendor Advisory] https://github.com/Budibase/budibase/security/advisories/GHSA-2hfr-343j-863r

Scores

CVSS v3 8.9

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:L

Classification

CWE

CWE-602

Status draft

Timeline

Published Mar 09, 2026

Tracked Since Mar 10, 2026