Description
Budibase is an open-source low-code platform. Prior to 3.38.2, the file upload endpoint POST /api/attachments/process does not enforce active-content restrictions for authenticated users. The checks for dangerous file extensions are conditionally wrapped inside if (isPublicUser) or if (isPublicUser || !env.SELF_HOSTED), meaning any authenticated builder can upload executable web content — SVG files with inline <script> tags, HTML pages with JavaScript, .js modules — which are then stored in the object store (MinIO/S3) with their correct MIME types. When the resulting signed URL is opened by any app user, the browser executes the payload. Impact is persistent stored XSS over all application end users. This vulnerability is fixed in 3.38.2.
Published: 2026-05-27
Score: 7.6 High
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Budibase, an open‑source low‑code platform, stored file uploads without enforcing active‑content restrictions for authenticated users until release 3.38.2. The validation logic for dangerous file extensions was unintentionally wrapped inside conditions that apply only to public users, allowing authenticated builders to upload executable web content such as SVG files containing <script> tags, HTML pages with JavaScript, or .js modules. These files are then stored with the correct MIME types in the object store. When any application user opens the resulting signed URL, the browser executes the embedded script, producing a persistent stored cross‑site scripting vulnerability that affects all users of the application.

Affected Systems

Budibase’s low‑code platform is affected when running versions prior to 3.38.2. Users deploying 3.38.1 or earlier are susceptible to the flaw described above. The issue is fixed in the 3.38.2 release.

Risk and Exploitability

According to the CVSS score of 7.6, the vulnerability carries a high severity rating. The EPSS score is not available, and the vulnerability is not listed in CISA’s KEV catalog, indicating no known widespread exploitation yet. The likely attack vector requires an authenticated Builder role, which the attacker would use to upload a malicious file to the /api/attachments/process endpoint. Once uploaded, the file is stored and served to any app user, causing the browser to execute the payload. Because the vulnerability persists in the stored data, any future user accessing the same attachment suffers the XSS effect.

Generated by OpenCVE AI on May 27, 2026 at 19:20 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Budibase to version 3.38.2 or later, where the file type validation has been corrected.
  • If an immediate update is not possible, restrict file upload permissions so that only trusted administrators can upload arbitrary content, removing the Builder role from uploading dangerous files.
  • Implement server‑side MIME type and file‑extension checks to reject dangerous file types such as .svg, .html, and .js before storing them.

Generated by OpenCVE AI on May 27, 2026 at 19:20 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-82rc-gxrg-v4gf Budibase: Unrestricted Upload of File with Dangerous Type
History

Wed, 27 May 2026 18:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 27 May 2026 17:45:00 +0000

Type Values Removed Values Added
Description Budibase is an open-source low-code platform. Prior to 3.38.2, the file upload endpoint POST /api/attachments/process does not enforce active-content restrictions for authenticated users. The checks for dangerous file extensions are conditionally wrapped inside if (isPublicUser) or if (isPublicUser || !env.SELF_HOSTED), meaning any authenticated builder can upload executable web content — SVG files with inline <script> tags, HTML pages with JavaScript, .js modules — which are then stored in the object store (MinIO/S3) with their correct MIME types. When the resulting signed URL is opened by any app user, the browser executes the payload. Impact is persistent stored XSS over all application end users. This vulnerability is fixed in 3.38.2.
Title Budibase: Unrestricted Upload of File with Dangerous Type
Weaknesses CWE-434
CWE-79
References
Metrics cvssV3_1

{'score': 7.6, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:L/A:N'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-05-27T18:02:00.561Z

Reserved: 2026-05-13T22:18:22.829Z

Link: CVE-2026-46426

cve-icon Vulnrichment

Updated: 2026-05-27T18:01:47.087Z

cve-icon NVD

Status : Deferred

Published: 2026-05-27T18:16:26.463

Modified: 2026-05-27T19:44:35.987

Link: CVE-2026-46426

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-27T19:30:35Z

Weaknesses