What is the CVSS score of CVE-2026-25737?

CVE-2026-25737 has a CVSS 3.1 base score of 8.9 (High). CVSS vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:L. EPSS exploitation probability: 0.1%.

Which versions of Budibase are affected by CVE-2026-25737?

Budibase instances running version 3.24.0 or earlier are vulnerable to arbitrary file uploads that bypass configured security restrictions, potentially allowing attackers to execute malicious code…

How to fix or mitigate CVE-2026-25737?

Within 24 hours: Identify all Budibase deployments and document their versions and data criticality. Within 7 days: Implement network segmentation to restrict Budibase access to trusted networks only, disable public internet exposure, and enable comprehensive logging on file upload activities. Within 30 days: Contact Budibase vendor for patch availability timeline, evaluate alternative low-code platforms if patch timeline is unacceptable, and conduct security assessment of any files uploaded since deployment.

Budibase CVE-2026-25737

HIGH

Client-Side Enforcement of Server-Side Security (CWE-602)

2026-03-09 security-advisories@github.com

File Upload Budibase

8.9

CVSS 3.1 · GitHub Advisory

Severity by source

GitHub Advisory PRIMARY

8.9 HIGH

AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:L

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:L

Attack Vector

Network

Attack Complexity

Low

Privileges Required

Low

User Interaction

Required

Scope

Changed

Confidentiality

High

Integrity

High

Availability

Low

Lifecycle Timeline

Analysis Generated

Mar 12, 2026 - 21:56 vuln.today

CVE Published

Mar 09, 2026 - 21:16 nvd

HIGH 8.9

DescriptionGitHub Advisory

Budibase is a low code platform for creating internal tools, workflows, and admin panels. In 3.24.0 and earlier, an arbitrary file upload vulnerability exists even though file extension restrictions are configured. The restriction is enforced only at the UI level. An attacker can bypass these restrictions and upload malicious files.

AnalysisAI

Arbitrary file upload in Budibase 3.24.0 and earlier allows authenticated attackers to bypass UI-level file extension restrictions and upload malicious files by directly manipulating requests. An attacker with valid credentials can circumvent the intended upload controls to potentially execute arbitrary code or compromise system integrity. …

Unlock full vulnerability intelligence

Risk assessment & exploitation conditions
Attack chain visualization
Remediation with exact patch versions
Threat intelligence from 22 sources
Personal watchlist & email alerts

Continue with Google Continue with GitHub

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access

Authenticate to Budibase instance

Exploit

Craft HTTP request bypassing UI file extension checks

Execution

Upload malicious file directly

Impact

Execute arbitrary code via uploaded file