What is the CVSS score of CVE-2026-35214?

CVE-2026-35214 has a CVSS 3.1 base score of 8.7 (High). CVSS vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:N/I:H/A:H. EPSS exploitation probability: 0.1%.

Which versions of Node.js are affected by CVE-2026-35214?

Budibase versions prior to 3.33.4 contain a critical path traversal vulnerability in the plugin upload function that allows privileged users (Global Builders) to delete arbitrary directories and…. A patch is available.

Node.js CVE-2026-35214

EUVD-2026-18793 HIGH

Path Traversal (CWE-22)

2026-04-03 GitHub_M

GHSA-2wfh-rcwf-wh23

Path Traversal Node.js File Upload

8.7

CVSS 3.1

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:N/I:H/A:H

Attack Vector

Network

Attack Complexity

Low

Privileges Required

High

User Interaction

None

Scope

Changed

Confidentiality

None

Integrity

High

Availability

High

Lifecycle Timeline

Patch released

Apr 04, 2026 - 08:30 nvd

Patch available

EUVD ID Assigned

Apr 03, 2026 - 16:00 euvd

EUVD-2026-18793

Analysis Generated

Apr 03, 2026 - 16:00 vuln.today

CVE Published

Apr 03, 2026 - 15:43 nvd

HIGH 8.7

DescriptionNVD

Budibase is an open-source low-code platform. Prior to version 3.33.4, the plugin file upload endpoint (POST /api/plugin/upload) passes the user-supplied filename directly to createTempFolder() without sanitizing path traversal sequences. An attacker with Global Builder privileges can craft a multipart upload with a filename containing ../ to delete arbitrary directories via rmSync and write arbitrary files via tarball extraction to any filesystem path the Node.js process can access. This issue has been patched in version 3.33.4.

AnalysisAI

Path traversal in Budibase plugin upload endpoint allows Global Builders to delete arbitrary directories and write files to any accessible filesystem path. Affecting all versions prior to 3.33.4, attackers with high privileges (Global Builder role) can exploit unsanitized filename handling in POST /api/plugin/upload to execute directory traversal attacks remotely with low complexity. …

RemediationAI

Within 24 hours: Identify all Budibase instances and document current versions; audit Global Builder role assignments and restrict to essential personnel only. Within 7 days: Contact Budibase support to confirm ETA for patch 3.33.4 and evaluate temporary air-gapping of plugin upload functionality if available; implement network segmentation to limit Global Builder access to trusted IP ranges. …

Analysis

Detailed AI-generated intelligence summary covering attack vector, impact assessment, affected versions, remediation steps, and indicators of compromise.

POChttps://••••••••••.com/exploit

PATCHhttps://••••••••••.com/patch

ADVISORYhttps://••••••••••.com/advisory

Full analysis requires sign-in

Get intelligence summaries, risk assessment, exploit details, threat intel, and remediation guidance.

CVE-2026-35214 vulnerability details – vuln.today

Back

Node.js CVE-2026-35214

CVSS VectorNVD

Lifecycle Timeline

DescriptionNVD

AnalysisAI

RemediationAI

Full analysis requires sign-in

Share

External POC / Exploit Code