anonhaven
Ad

CVE-2026-25737

CRITICAL CVSS 3.1: 9.0 EPSS 0.05%
Updated Mar 13, 2026
Budibase
Parameter Value
CVSS 9.0 (CRITICAL)
Affected Versions before 3.24.0
Type CWE-602, CWE-918 (Server-Side Request Forgery (SSRF)), CWE-79 (Cross-Site Scripting (XSS))
Vendor Budibase
Public PoC No

Budibase is a low code platform for creating internal tools, workflows, and admin panels. In 3.24.0 and earlier, an arbitrary file upload vulnerability exists even though file extension restrictions are configured. The restriction is enforced only at the UI level.

An attacker can bypass these restrictions and upload malicious files.

Attack Parameters

Attack Vector
Network
Can be exploited remotely
Attack Complexity
Low
Easy to exploit
Privileges Required
Low
Basic privileges needed
User Interaction
Required
User action required

Impact Assessment

Confidentiality
High
Complete data leak
Integrity
High
Complete data modification
Availability
High
Complete denial of service

CVSS Vector v3.1

Weakness Type (CWE)

CWE-602
CWE-918 Server-Side Request Forgery (SSRF)
CWE-79 Cross-Site Scripting (XSS)

Vulnerable Products 1

Configuration From (including) Up to (excluding)
Budibase Budibase
cpe:2.3:a:budibase:budibase:*:*:*:*:*:*:*:*
 <= 3.24.0

References 1

https://github.com/Budibase/budibase/security/advisories/GHSA-2hfr-343j-863r
security-advisories@github.com
Share Post Share Share Share

Related Vulnerabilities

CVE-2026-33226

Kubernetes

8.7

CVE-2026-31816

Budibase

9.1

CVE-2026-30240

Budibase

8.1

CVE-2026-25045

Budibase

8.7

CVE-2026-25041

Budibase

8.6