← Back

CVE-2026-35214

nvd nist
Published: Apr 3, 2026Modified: Apr 8, 2026

JSON object

Loading...
8.7
Vector
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:N/I:H/A:H
Exploitability: 2.3 / Impact: 5.8
Source: security-advisories@github.com (Secondary)

Description

Budibase is an open-source low-code platform. Prior to version 3.33.4, the plugin file upload endpoint (POST /api/plugin/upload) passes the user-supplied filename directly to createTempFolder() without sanitizing path traversal sequences. An attacker with Global Builder privileges can craft a multipart upload with a filename containing ../ to delete arbitrary directories via rmSync and write arbitrary files via tarball extraction to any filesystem path the Node.js process can access. This issue has been patched in version 3.33.4.

Affected (1)

Products: Budibase: Budibase
Budibase
1 product
Budibase
Configuration A
1 vulnerable
Vulnerable SoftwareAffected Versions
Budibase
Before 3.33.4

Related CWEs

CWE-22
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory.

References (5)

Source: security-advisories@github.com
Patch
Source: security-advisories@github.com
Issue TrackingPatch
Source: security-advisories@github.com
ProductRelease Notes
Source: security-advisories@github.com
ExploitMitigationVendor Advisory
Source: 134c704f-9b21-4f2e-91b3-4a467353bcc0
ExploitMitigationVendor Advisory

Timeline

No history available yet.