CVE-2026-46426— Budibase: Unrestricted Upload of File with Dangerous Type
Possible ATT&CK Techniques 2AI
T1059 · Command and Scripting Interpreter T1189 · Drive-by CompromiseGet alerts for future matching vulnerabilitiesLog in to subscribe
I. Basic Information for CVE-2026-46426
Vulnerability Information
Have questions about the vulnerability? See if Shenlong's analysis helps!
View Shenlong Deep Dive ↗ Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
Budibase: Unrestricted Upload of File with Dangerous Type
Source: NVD (National Vulnerability Database)
Vulnerability Description
Budibase is an open-source low-code platform. Prior to 3.38.2, the file upload endpoint POST /api/attachments/process does not enforce active-content restrictions for authenticated users. The checks for dangerous file extensions are conditionally wrapped inside if (isPublicUser) or if (isPublicUser || !env.SELF_HOSTED), meaning any authenticated builder can upload executable web content — SVG files with inline <script> tags, HTML pages with JavaScript, .js modules — which are then stored in the object store (MinIO/S3) with their correct MIME types. When the resulting signed URL is opened by any app user, the browser executes the payload. Impact is persistent stored XSS over all application end users. This vulnerability is fixed in 3.38.2.
Source: NVD (National Vulnerability Database)
CVSS Information
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:L/A:N
Source: NVD (National Vulnerability Database)
Vulnerability Type
在Web页面生成时对输入的转义处理不恰当(跨站脚本)
Source: NVD (National Vulnerability Database)
Affected Products
II. Public POCs for CVE-2026-46426
| # | POC Description | Source Link | Shenlong Link |
|---|
AI-Generated POCPremium
No public POC found.
Login to generate AI POCIII. Intelligence Information for CVE-2026-46426
请登录查看更多情报信息。
Vendor Advisories for CVE-2026-46426 (1)
Vendor Pages for CVE-2026-46426 (1)
- 🔗 Release 3.38.2 · Budibase/budibase · GitHubx_refsource_MISC
Same Patch Batch · Budibase · 2026-05-27 · 20 CVEs total
| CVE-2026-46425 | 9.9 CRITICAL | Budibase: SCIM endpoints lack role-based authorization, BASIC users CRUD tenant users |
| CVE-2026-48150 | 9.0 CRITICAL | Budibase: Workspace-scoped builder escalates to global admin via /api/public/v1/roles/assi |
| CVE-2026-45716 | 8.8 HIGH | Budibase: Builder-to-Admin Privilege Escalation via onboardUsers Endpoint Without SMTP Con |
| CVE-2026-45717 | 8.8 HIGH | Budibase: `PUT /api/datasources/:datasourceId` is protected only by `TABLE/READ` permissio |
| CVE-2026-48153 | 8.5 HIGH | Budibase: SSRF via OAuth2 token endpoint URL reaches internal hosts and cloud metadata |
| CVE-2026-48149 | 8.1 HIGH | Budibase: Stored XSS in Text component: BASIC users execute JS in admin session via Markdo |
| CVE-2026-48152 | 8.1 HIGH | Budibase: Basic app users can exfiltrate stored REST datasource auth by rewriting datasour |
| CVE-2026-45715 | 7.7 HIGH | Budibase: SSRF Bypass via HTTP Redirect in REST Datasource Integration |
| CVE-2026-46427 | 7.7 HIGH | Budibase: Snowflake private key returned unmasked from datasource API to BASIC users |
| CVE-2026-48146 | 7.7 HIGH | Budibase: SSRF via OAuth2 Config Validation — Missing fetchWithBlacklist Protection |
| CVE-2026-45548 | 7.7 HIGH | Budibase: SSRF in AI Extract File Automation Step via Missing IP Blacklist Validation |
| CVE-2026-45061 | 7.7 HIGH | Budibase: SSRF via trivial `.tar.gz` substring bypass in Plugin URL upload (`/api/plugin`) |
| CVE-2026-48151 | 7.5 HIGH | Budibase: Webhook schema endpoint authorization bypass allows unauthenticated mutation of |
| CVE-2026-48147 | 6.5 MEDIUM | Budibase: Unanchored Regex in `matchers.ts` Allows CSRF Bypass via Query String Injection |
| CVE-2026-45719 | 6.5 MEDIUM | Budibase: CouchDB Reduce Injection via Unsanitized Calculation Parameter in V1 Views API |
| CVE-2026-45718 | 5.4 MEDIUM | Budibase: Row Action Trigger Bypasses View Row Filter Security Boundary Allowing Action on |
| CVE-2026-46424 | 4.2 MEDIUM | Budibase: Missing Cache Invalidation on Public API Role Unassignment Allows Revoked Users |
| CVE-2026-48128 | Budibase: SSRF via User-Controlled queryId in Automation Execute Query Step | |
| CVE-2026-48148 | Budibase: Unvalidated VectorDB Host Parameter Enables SSRF |
IV. Related Vulnerabilities
Same product: budibase
- CVE-2026-48147
Budibase: Unanchored Regex in `matchers.ts` Allows CSRF Bypa - CVE-2026-48148
Budibase: Unvalidated VectorDB Host Parameter Enables SSRF - CVE-2026-45548
Budibase: SSRF in AI Extract File Automation Step via Missin - CVE-2026-45715
Budibase: SSRF Bypass via HTTP Redirect in REST Datasource I - CVE-2026-45716
Budibase: Builder-to-Admin Privilege Escalation via onboardU
Same vendor: Budibase
- CVE-2026-48147
Budibase: Unanchored Regex in `matchers.ts` Allows CSRF Bypa - CVE-2026-48148
Budibase: Unvalidated VectorDB Host Parameter Enables SSRF - CVE-2026-45548
Budibase: SSRF in AI Extract File Automation Step via Missin - CVE-2026-45715
Budibase: SSRF Bypass via HTTP Redirect in REST Datasource I - CVE-2026-45716
Budibase: Builder-to-Admin Privilege Escalation via onboardU
Same weakness: CWE-79
- CVE-2026-4334
Shariff Wrapper <= 4.6.20 - Authenticated (Contributor+) Cro - CVE-2024-47097
Reflected Cross-Site Scripting in Follet School Solutions De - CVE-2024-47096
Reflected Cross-Site Scripting in Follet School Solutions De - CVE-2026-7052
HT Contact Form <= 2.8.2 - Unauthenticated Stored Cross-Site - CVE-2026-7660
Easy Updates Manager <= 9.0.20 - Reflected Cross-Site Script
V. Comments for CVE-2026-46426
No comments yet