CVE-2026-35214
Last modified
CVE-2026-35214 is a high-severity vulnerability rated 8.7/10 on the CVSS scale. Budibase is an open-source low-code platform. Prior to version 3.33.4, the plugin file upload endpoint (POST /api/plugin/upload) passes the user-supplied filename directly to createTempFolder() without sanitizing path traversal sequences. EPSS estimates a 0.55% chance of exploitation in the next 30 days.
Description
Budibase is an open-source low-code platform. Prior to version 3.33.4, the plugin file upload endpoint (POST /api/plugin/upload) passes the user-supplied filename directly to createTempFolder() without sanitizing path traversal sequences. An attacker with Global Builder privileges can craft a multipart upload with a filename containing ../ to delete arbitrary directories via rmSync and write arbitrary files via tarball extraction to any filesystem path the Node.js process can access. This issue has been patched in version 3.33.4.
Metrics
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:N/I:H/A:H
Weakness Enumeration
Affected Software
| Vendor | Product | Versions |
|---|---|---|
| Budibase | Budibase | < 3.33.4 |
References
- https://github.com/Budibase/budibase/pull/18240Issue Tracking, Patch
- https://github.com/Budibase/budibase/releases/tag/3.33.4Product, Release Notes
- https://github.com/Budibase/budibase/security/advisories/GHSA-2wfh-rcwf-wh23Exploit, Mitigation, Vendor Advisory
- https://github.com/Budibase/budibase/security/advisories/GHSA-2wfh-rcwf-wh23Exploit, Mitigation, Vendor Advisory
Timeline
- Published
- Last Modified
- Status
- Analyzed
Frequently Asked Questions
What is CVE-2026-35214?
How severe is CVE-2026-35214?
How do I fix CVE-2026-35214?
Are you affected by CVE-2026-35214?
Run a free Strix scan to check your systems for this vulnerability.
Scan your code nowSource: NVD / NIST