Budibase: Unrestricted Upload of File with Dangerous Type_CVE-2026-46426

7.6 / 10

HIGH

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:L/A:N

Description

Budibase is an open-source low-code platform. Prior to 3.38.2, the file upload endpoint POST /api/attachments/process does not enforce active-content restrictions for authenticated users. The checks for dangerous file extensions are conditionally wrapped inside if (isPublicUser) or if (isPublicUser || !env.SELF_HOSTED), meaning any authenticated builder can upload executable web content — SVG files with inline <script> tags, HTML pages with JavaScript, .js modules — which are then stored in the object store (MinIO/S3) with their correct MIME types. When the resulting signed URL is opened by any app user, the browser executes the payload. Impact is persistent stored XSS over all application end users. This vulnerability is fixed in 3.38.2.

Basic Information

ID CVE-2026-46426

Source GitHub_M

Published May 27, 2026 at 17:04

Modified May 27, 2026 at 18:02

Affected Product

Vendor Budibase

Product budibase

Version < 3.38.2

Affected Versions Budibase budibase < 3.38.2

CWE Classification

CWE-79 CWE-434

References

{
    "lastseen": "",
    "description": "Budibase is an open-source low-code platform. Prior to 3.38.2, the file upload endpoint POST /api/attachments/process does not enforce active-content restrictions for authenticated users. The checks for dangerous file extensions are conditionally wrapped inside if (isPublicUser) or if (isPublicUser || !env.SELF_HOSTED), meaning any authenticated builder can upload executable web content \u2014 SVG files with inline <script> tags, HTML pages with JavaScript, .js modules \u2014 which are then stored in the object store (MinIO/S3) with their correct MIME types. When the resulting signed URL is opened by any app user, the browser executes the payload. Impact is persistent stored XSS over all application end users. This vulnerability is fixed in 3.38.2.",
    "published": "2026-05-27T17:04:42.080Z",
    "modified": "2026-05-27T18:02:00.561Z",
    "type": "cve",
    "title": "Budibase: Unrestricted Upload of File with Dangerous Type",
    "source": "GitHub_M",
    "references": "https://github.com/Budibase/budibase/security/advisories/GHSA-82rc-gxrg-v4gf\nhttps://github.com/Budibase/budibase/releases/tag/3.38.2",
    "id": "CVE-2026-46426",
    "bulletinFamily": "",
    "cwe": [
        "CWE-79",
        "CWE-434"
    ],
    "cvelist": null,
    "sourceData": "Budibase budibase < 3.38.2",
    "sourceHref": "",
    "cvss": {
        "score": 7.6,
        "severity": "HIGH",
        "vector": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:L/A:N",
        "version": "3.1"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "",
    "category_name": "CVE",
    "post_link": "",
    "product": "budibase",
    "version": "< 3.38.2",
    "vendor": "Budibase",
    "ai_description": "",
    "ai_severity": "",
    "ai_vendor": "",
    "ai_product": "",
    "ai_version": "",
    "ai_score": 0
}