CVE-2026-25737

Budibase is a low code platform for creating internal tools, workflows, and admin panels. In 3.24.0 and earlier, an arbitrary file upload vulnerability exists even though file extension restrictions are configured. The restriction is enforced only at the UI level. An attacker can bypass these restrictions and upload malicious files.

CVSS v3 8.9 HIGH

8.9^/10

CVSS v3 : HIGH

Vector :

Exploitability : 2.3 / Impact : 6.0

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required LOW

User Interaction REQUIRED

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact LOW

Scope CHANGED

References

Link	Resource
https://github.com/Budibase/budibase/security/advisories/GHSA-2hfr-343j-863r	Exploit Vendor Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:budibase:budibase:*:*:*:*:*:*:*:*

History

No history.

Information

Published : 2026-03-09 21:16

Updated : 2026-03-13 19:16

NVD link : CVE-2026-25737

Mitre link : CVE-2026-25737

CVE.ORG link : CVE-2026-25737

JSON object : View

Products Affected

budibase

budibase

CWE

CWE-602

Client-Side Enforcement of Server-Side Security

CWE-79

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

CWE-918

Server-Side Request Forgery (SSRF)

{"id": "CVE-2026-25737", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Secondary", "source": "security-advisories@github.com", "cvssData": {"scope": "CHANGED", "version": "3.1", "baseScore": 8.9, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:L", "integrityImpact": "HIGH", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "LOW", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}, "impactScore": 6.0, "exploitabilityScore": 2.3}, {"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "CHANGED", "version": "3.1", "baseScore": 9.0, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}, "impactScore": 6.0, "exploitabilityScore": 2.3}]}, "published": "2026-03-09T21:16:15.340", "references": [{"url": "https://github.com/Budibase/budibase/security/advisories/GHSA-2hfr-343j-863r", "tags": ["Exploit", "Vendor Advisory"], "source": "security-advisories@github.com"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "security-advisories@github.com", "description": [{"lang": "en", "value": "CWE-602"}]}, {"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-79"}, {"lang": "en", "value": "CWE-918"}]}], "descriptions": [{"lang": "en", "value": "Budibase is a low code platform for creating internal tools, workflows, and admin panels. In 3.24.0 and earlier, an arbitrary file upload vulnerability exists even though file extension restrictions are configured. The restriction is enforced only at the UI level. An attacker can bypass these restrictions and upload malicious files."}, {"lang": "es", "value": "Budibase es una plataforma de bajo c\u00f3digo para crear herramientas internas, flujos de trabajo y paneles de administraci\u00f3n. En la versi\u00f3n 3.24.0 y anteriores, existe una vulnerabilidad de carga arbitraria de archivos a pesar de que las restricciones de extensi\u00f3n de archivo est\u00e1n configuradas. La restricci\u00f3n se aplica solo a nivel de interfaz de usuario. Un atacante puede eludir estas restricciones y cargar archivos maliciosos."}], "lastModified": "2026-03-13T19:16:21.893", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:budibase:budibase:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "81D6E4C0-FDC0-425D-93BF-8BD9545F8B76", "versionEndIncluding": "3.24.0"}], "operator": "OR"}]}], "sourceIdentifier": "security-advisories@github.com"}