EUVD-2026-18793
GHSA-2wfh-rcwf-wh23
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:N/I:H/A:H
Lifecycle Timeline
4Description
Budibase is an open-source low-code platform. Prior to version 3.33.4, the plugin file upload endpoint (POST /api/plugin/upload) passes the user-supplied filename directly to createTempFolder() without sanitizing path traversal sequences. An attacker with Global Builder privileges can craft a multipart upload with a filename containing ../ to delete arbitrary directories via rmSync and write arbitrary files via tarball extraction to any filesystem path the Node.js process can access. This issue has been patched in version 3.33.4.
Analysis
Path traversal in Budibase plugin upload endpoint allows Global Builders to delete arbitrary directories and write files to any accessible filesystem path. Affecting all versions prior to 3.33.4, attackers with high privileges (Global Builder role) can exploit unsanitized filename handling in POST /api/plugin/upload to execute directory traversal attacks remotely with low complexity. …
Sign in for full analysis, threat intelligence, and remediation guidance.
Remediation
Within 24 hours: Identify all Budibase instances and document current versions; audit Global Builder role assignments and restrict to essential personnel only. Within 7 days: Contact Budibase support to confirm ETA for patch 3.33.4 and evaluate temporary air-gapping of plugin upload functionality if available; implement network segmentation to limit Global Builder access to trusted IP ranges. …
Sign in for detailed remediation steps.
Priority Score
Share
External POC / Exploit Code
Leaving vuln.today