{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-35214", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-04-01T18:48:58.937Z", "datePublished": "2026-04-03T15:43:12.426Z", "dateUpdated": "2026-04-03T16:04:36.168Z"}, "containers": {"cna": {"title": "Budibase: Path traversal in plugin file upload enables arbitrary directory deletion and file write", "problemTypes": [{"descriptions": [{"cweId": "CWE-22", "lang": "en", "description": "CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.7, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "HIGH", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:N/I:H/A:H", "version": "3.1"}}], "references": [{"name": "https://github.com/Budibase/budibase/security/advisories/GHSA-2wfh-rcwf-wh23", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/Budibase/budibase/security/advisories/GHSA-2wfh-rcwf-wh23"}, {"name": "https://github.com/Budibase/budibase/pull/18240", "tags": ["x_refsource_MISC"], "url": "https://github.com/Budibase/budibase/pull/18240"}, {"name": "https://github.com/Budibase/budibase/commit/6344d06d703660fd05995e61d581593c2349c879", "tags": ["x_refsource_MISC"], "url": "https://github.com/Budibase/budibase/commit/6344d06d703660fd05995e61d581593c2349c879"}, {"name": "https://github.com/Budibase/budibase/releases/tag/3.33.4", "tags": ["x_refsource_MISC"], "url": "https://github.com/Budibase/budibase/releases/tag/3.33.4"}], "affected": [{"vendor": "Budibase", "product": "budibase", "versions": [{"version": "< 3.33.4", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-04-03T15:43:12.426Z"}, "descriptions": [{"lang": "en", "value": "Budibase is an open-source low-code platform. Prior to version 3.33.4, the plugin file upload endpoint (POST /api/plugin/upload) passes the user-supplied filename directly to createTempFolder() without sanitizing path traversal sequences. An attacker with Global Builder privileges can craft a multipart upload with a filename containing ../ to delete arbitrary directories via rmSync and write arbitrary files via tarball extraction to any filesystem path the Node.js process can access. This issue has been patched in version 3.33.4."}], "source": {"advisory": "GHSA-2wfh-rcwf-wh23", "discovery": "UNKNOWN"}}, "adp": [{"references": [{"url": "https://github.com/Budibase/budibase/security/advisories/GHSA-2wfh-rcwf-wh23", "tags": ["exploit"]}], "metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-04-03T16:04:18.609938Z", "id": "CVE-2026-35214", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-03T16:04:36.168Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-35214", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-04-03T16:04:18.609938Z"}}}], "references": [{"url": "https://github.com/Budibase/budibase/security/advisories/GHSA-2wfh-rcwf-wh23", "tags": ["exploit"]}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-03T16:04:29.253Z"}}], "cna": {"title": "Budibase: Path traversal in plugin file upload enables arbitrary directory deletion and file write", "source": {"advisory": "GHSA-2wfh-rcwf-wh23", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "CHANGED", "version": "3.1", "baseScore": 8.7, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:N/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "HIGH", "confidentialityImpact": "NONE"}}], "affected": [{"vendor": "Budibase", "product": "budibase", "versions": [{"status": "affected", "version": "< 3.33.4"}]}], "references": [{"url": "https://github.com/Budibase/budibase/security/advisories/GHSA-2wfh-rcwf-wh23", "name": "https://github.com/Budibase/budibase/security/advisories/GHSA-2wfh-rcwf-wh23", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/Budibase/budibase/pull/18240", "name": "https://github.com/Budibase/budibase/pull/18240", "tags": ["x_refsource_MISC"]}, {"url": "https://github.com/Budibase/budibase/commit/6344d06d703660fd05995e61d581593c2349c879", "name": "https://github.com/Budibase/budibase/commit/6344d06d703660fd05995e61d581593c2349c879", "tags": ["x_refsource_MISC"]}, {"url": "https://github.com/Budibase/budibase/releases/tag/3.33.4", "name": "https://github.com/Budibase/budibase/releases/tag/3.33.4", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "Budibase is an open-source low-code platform. Prior to version 3.33.4, the plugin file upload endpoint (POST /api/plugin/upload) passes the user-supplied filename directly to createTempFolder() without sanitizing path traversal sequences. An attacker with Global Builder privileges can craft a multipart upload with a filename containing ../ to delete arbitrary directories via rmSync and write arbitrary files via tarball extraction to any filesystem path the Node.js process can access. This issue has been patched in version 3.33.4."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-22", "description": "CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-04-03T15:43:12.426Z"}}}, "cveMetadata": {"cveId": "CVE-2026-35214", "state": "PUBLISHED", "dateUpdated": "2026-04-03T16:04:36.168Z", "dateReserved": "2026-04-01T18:48:58.937Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-04-03T15:43:12.426Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:budibase:budibase:*:*:*:*:*:*:*:*", "matchCriteriaId": "B316A29C-7C2F-4102-ACF6-DDB06B3D0AD5", "versionEndExcluding": "3.33.4", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Budibase is an open-source low-code platform. Prior to version 3.33.4, the plugin file upload endpoint (POST /api/plugin/upload) passes the user-supplied filename directly to createTempFolder() without sanitizing path traversal sequences. An attacker with Global Builder privileges can craft a multipart upload with a filename containing ../ to delete arbitrary directories via rmSync and write arbitrary files via tarball extraction to any filesystem path the Node.js process can access. This issue has been patched in version 3.33.4."}], "id": "CVE-2026-35214", "lastModified": "2026-04-08T21:19:13.480", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.7, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "HIGH", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:N/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 2.3, "impactScore": 5.8, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-04-03T16:16:41.607", "references": [{"source": "security-advisories@github.com", "tags": ["Patch"], "url": "https://github.com/Budibase/budibase/commit/6344d06d703660fd05995e61d581593c2349c879"}, {"source": "security-advisories@github.com", "tags": ["Issue Tracking", "Patch"], "url": "https://github.com/Budibase/budibase/pull/18240"}, {"source": "security-advisories@github.com", "tags": ["Product", "Release Notes"], "url": "https://github.com/Budibase/budibase/releases/tag/3.33.4"}, {"source": "security-advisories@github.com", "tags": ["Exploit", "Mitigation", "Vendor Advisory"], "url": "https://github.com/Budibase/budibase/security/advisories/GHSA-2wfh-rcwf-wh23"}, {"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "tags": ["Exploit", "Mitigation", "Vendor Advisory"], "url": "https://github.com/Budibase/budibase/security/advisories/GHSA-2wfh-rcwf-wh23"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-22"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,3.33.4)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "budibase", "source": "cna", "vendor": "Budibase"}, "product": "budibase", "vendor": "budibase"}], "analysis": {"en": {"generated_at": "2026-04-08T23:38:26.715454+00:00", "value": {"mitigation_remediation": ["Upgrade to Budibase version 3.33.4 or later to apply the vendor patch that removes the path\u2011traversal vulnerability."], "summary": {"action": "Immediate Patch", "impact": "File deletion and arbitrary file write via path traversal in plugin upload endpoint"}, "threat_synthesis": {"affected_systems": "Budibase, the open\u2011source low\u2011code platform released before version 3.33.4, contains the vulnerable plugin upload endpoint.", "description_and_impact": "An attacker who has Global Builder authority can submit a multipart upload to the plugin upload endpoint, including a filename that contains path\u2011traversal characters. The application forwards this filename directly to the temporary folder creation routine without sanitizing it, allowing the attacker to delete any directory the Node.js process can access and to extract tarball contents to arbitrary filesystem locations, effectively creating, overwriting, or removing files on the server.", "risk_and_exploitability": "The vulnerability has a high severity score and, while the likelihood of exploitation is currently low, it is exploitable by authenticated users with Global Builder privileges. An attacker could send a crafted upload request to the vulnerable endpoint, which would then perform privileged filesystem operations such as directory deletion or arbitrary file write on the server."}}}}, "created": "2026-04-03T21:13:00.902325+00:00", "updated": "2026-04-09T08:29:13.002322+00:00", "vendors": ["budibase", "budibase$PRODUCT$budibase"]}