{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-35214", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-04-01T18:48:58.937Z", "datePublished": "2026-04-03T15:43:12.426Z", "dateUpdated": "2026-04-03T16:04:36.168Z"}, "containers": {"cna": {"title": "Budibase: Path traversal in plugin file upload enables arbitrary directory deletion and file write", "problemTypes": [{"descriptions": [{"cweId": "CWE-22", "lang": "en", "description": "CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.7, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "HIGH", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:N/I:H/A:H", "version": "3.1"}}], "references": [{"name": "https://github.com/Budibase/budibase/security/advisories/GHSA-2wfh-rcwf-wh23", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/Budibase/budibase/security/advisories/GHSA-2wfh-rcwf-wh23"}, {"name": "https://github.com/Budibase/budibase/pull/18240", "tags": ["x_refsource_MISC"], "url": "https://github.com/Budibase/budibase/pull/18240"}, {"name": "https://github.com/Budibase/budibase/commit/6344d06d703660fd05995e61d581593c2349c879", "tags": ["x_refsource_MISC"], "url": "https://github.com/Budibase/budibase/commit/6344d06d703660fd05995e61d581593c2349c879"}, {"name": "https://github.com/Budibase/budibase/releases/tag/3.33.4", "tags": ["x_refsource_MISC"], "url": "https://github.com/Budibase/budibase/releases/tag/3.33.4"}], "affected": [{"vendor": "Budibase", "product": "budibase", "versions": [{"version": "< 3.33.4", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-04-03T15:43:12.426Z"}, "descriptions": [{"lang": "en", "value": "Budibase is an open-source low-code platform. Prior to version 3.33.4, the plugin file upload endpoint (POST /api/plugin/upload) passes the user-supplied filename directly to createTempFolder() without sanitizing path traversal sequences. An attacker with Global Builder privileges can craft a multipart upload with a filename containing ../ to delete arbitrary directories via rmSync and write arbitrary files via tarball extraction to any filesystem path the Node.js process can access. This issue has been patched in version 3.33.4."}], "source": {"advisory": "GHSA-2wfh-rcwf-wh23", "discovery": "UNKNOWN"}}, "adp": [{"references": [{"url": "https://github.com/Budibase/budibase/security/advisories/GHSA-2wfh-rcwf-wh23", "tags": ["exploit"]}], "metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-04-03T16:04:18.609938Z", "id": "CVE-2026-35214", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-03T16:04:36.168Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-35214", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-04-03T16:04:18.609938Z"}}}], "references": [{"url": "https://github.com/Budibase/budibase/security/advisories/GHSA-2wfh-rcwf-wh23", "tags": ["exploit"]}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-03T16:04:29.253Z"}}], "cna": {"title": "Budibase: Path traversal in plugin file upload enables arbitrary directory deletion and file write", "source": {"advisory": "GHSA-2wfh-rcwf-wh23", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "CHANGED", "version": "3.1", "baseScore": 8.7, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:N/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "HIGH", "confidentialityImpact": "NONE"}}], "affected": [{"vendor": "Budibase", "product": "budibase", "versions": [{"status": "affected", "version": "< 3.33.4"}]}], "references": [{"url": "https://github.com/Budibase/budibase/security/advisories/GHSA-2wfh-rcwf-wh23", "name": "https://github.com/Budibase/budibase/security/advisories/GHSA-2wfh-rcwf-wh23", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/Budibase/budibase/pull/18240", "name": "https://github.com/Budibase/budibase/pull/18240", "tags": ["x_refsource_MISC"]}, {"url": "https://github.com/Budibase/budibase/commit/6344d06d703660fd05995e61d581593c2349c879", "name": "https://github.com/Budibase/budibase/commit/6344d06d703660fd05995e61d581593c2349c879", "tags": ["x_refsource_MISC"]}, {"url": "https://github.com/Budibase/budibase/releases/tag/3.33.4", "name": "https://github.com/Budibase/budibase/releases/tag/3.33.4", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "Budibase is an open-source low-code platform. Prior to version 3.33.4, the plugin file upload endpoint (POST /api/plugin/upload) passes the user-supplied filename directly to createTempFolder() without sanitizing path traversal sequences. An attacker with Global Builder privileges can craft a multipart upload with a filename containing ../ to delete arbitrary directories via rmSync and write arbitrary files via tarball extraction to any filesystem path the Node.js process can access. This issue has been patched in version 3.33.4."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-22", "description": "CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-04-03T15:43:12.426Z"}}}, "cveMetadata": {"cveId": "CVE-2026-35214", "state": "PUBLISHED", "dateUpdated": "2026-04-03T16:04:36.168Z", "dateReserved": "2026-04-01T18:48:58.937Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-04-03T15:43:12.426Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Budibase is an open-source low-code platform. Prior to version 3.33.4, the plugin file upload endpoint (POST /api/plugin/upload) passes the user-supplied filename directly to createTempFolder() without sanitizing path traversal sequences. An attacker with Global Builder privileges can craft a multipart upload with a filename containing ../ to delete arbitrary directories via rmSync and write arbitrary files via tarball extraction to any filesystem path the Node.js process can access. This issue has been patched in version 3.33.4."}], "id": "CVE-2026-35214", "lastModified": "2026-04-03T16:16:41.607", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.7, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "HIGH", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:N/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 2.3, "impactScore": 5.8, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-04-03T16:16:41.607", "references": [{"source": "security-advisories@github.com", "url": "https://github.com/Budibase/budibase/commit/6344d06d703660fd05995e61d581593c2349c879"}, {"source": "security-advisories@github.com", "url": "https://github.com/Budibase/budibase/pull/18240"}, {"source": "security-advisories@github.com", "url": "https://github.com/Budibase/budibase/releases/tag/3.33.4"}, {"source": "security-advisories@github.com", "url": "https://github.com/Budibase/budibase/security/advisories/GHSA-2wfh-rcwf-wh23"}, {"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "url": "https://github.com/Budibase/budibase/security/advisories/GHSA-2wfh-rcwf-wh23"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Received", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-22"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,3.33.4)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "budibase", "source": "cna", "vendor": "Budibase"}, "product": "budibase", "vendor": "budibase"}], "analysis": {"en": {"generated_at": "2026-04-03T18:51:47.159157+00:00", "value": {"mitigation_remediation": ["Upgrade Budibase to version 3.33.4 or later, which removes the path traversal handling.", "If an upgrade cannot be performed immediately, limit Global Builder permissions to trusted administrators and monitor the /api/plugin/upload endpoint for anomalous activity.", "Apply file system permissions or ACLs to restrict the Node.js process from writing to sensitive directories.", "Log and alert on any unexpected file deletion or creation events within the application."], "summary": {"action": "Patch Immediately", "impact": "Arbitrary Directory Deletion and File Creation via Plugin Upload"}, "threat_synthesis": {"affected_systems": "Budibase low\u2011code platform versions prior to 3.33.4 are affected. The issue resides in the plugin file upload API (/api/plugin/upload). The vulnerability is present in all distributions that expose this endpoint and rely on Node.js to process uploads.", "description_and_impact": "A path traversal flaw in Budibase's plugin upload endpoint allows an attacker with Global Builder privileges to supply a filename containing '../', causing the server to create temporary folders outside the intended directory. The flaw enables deletion of arbitrary directories using rmSync and writing of arbitrary files via tarball extraction, which can compromise the integrity and confidentiality of the application and underlying filesystem.", "risk_and_exploitability": "The CVSS score of 8.7 indicates a high severity vulnerability. Because the vulnerability requires only authenticated Global Builder privileges and no special network exposure, exploitability is practical for users with those rights. EPSS data is unavailable, but the lack of an official KEV listing does not diminish its risk. An attacker can craft a multipart upload with a malicious filename to delete or overwrite files, potentially escalating to full server compromise if additional privileges are present."}}}}, "created": "2026-04-03T21:13:00.902325+00:00", "updated": "2026-04-03T21:15:13.292369+00:00", "vendors": ["budibase", "budibase$PRODUCT$budibase"]}