CVE-2026-25737

Budibase Arbitrary File Upload Leading to Multiple Critical Vulnerabilities (SSRF, Stored XSS)

Description

Budibase is a low code platform for creating internal tools, workflows, and admin panels. In 3.24.0 and earlier, an arbitrary file upload vulnerability exists even though file extension restrictions are configured. The restriction is enforced only at the UI level. An attacker can bypass these restrictions and upload malicious files.

INFO

Published Date :

2026-03-09T20:08:32.067Z

Last Modified :

2026-03-09T20:34:21.618Z

Source :

GitHub_M

AFFECTED PRODUCTS

The following products are affected by CVE-2026-25737 vulnerability.

Vendors	Products
Budibase	Budibase

REFERENCES

Here, you will find a curated list of external links that provide in-depth information to CVE-2026-25737.

URL	Resource
https://github.com/Budibase/budibase/security/advisories/GHSA-2hfr-343j-863r

CVSS Vulnerability Scoring System

V3.1

Detailed values of each vector for above chart.

Attack Vector

Attack Complexity

Privileges Required

User Interaction

Scope

Confidentiality Impact

Integrity Impact

Availability Impact