CVE-2026-25737
Arbitrary File Upload in Budibase Allows Malicious File Execution
Publication date: 2026-03-09
Last updated on: 2026-03-13
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| budibase | budibase | to 3.24.0 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-602 | The product is composed of a server that relies on the client to implement a mechanism that is intended to protect the server. |
| CWE-79 | The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users. |
| CWE-918 | The web server receives a URL or similar request from an upstream component and retrieves the contents of this URL, but it does not sufficiently ensure that the request is being sent to the expected destination. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-25737 is a critical arbitrary file upload vulnerability in Budibase version 3.24.0 and earlier. Although the platform enforces file extension restrictions at the user interface level to allow only safe file types, these restrictions are not enforced on the backend. This means an attacker can bypass the UI checks by intercepting and modifying upload requests to upload malicious files with disallowed extensions such as .html, .svg, .php, .exe, and others.
Once uploaded, these malicious files are stored and accessible without proper validation of their extension, MIME type, or content. This enables several critical attacks including stored cross-site scripting (XSS), malware distribution, and server-side request forgery (SSRF). For example, an attacker can upload a malicious SVG or HTML file containing JavaScript that executes when viewed by users, leading to session theft or account takeover.
How can this vulnerability impact me? :
This vulnerability can have severe impacts including:
- Account takeover through stored cross-site scripting (XSS) by executing malicious scripts when users view uploaded files.
- Malware distribution by uploading executable files that can be shared and executed by users.
- Server-Side Request Forgery (SSRF) attacks where malicious files force the server to make unauthorized requests to internal or attacker-controlled resources, potentially exposing sensitive internal systems.
- Data theft and privacy breaches due to unauthorized access and execution of malicious payloads.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
[{'type': 'paragraph', 'content': 'This vulnerability can be detected by monitoring file upload requests to the Budibase application and checking for files with disallowed extensions or suspicious MIME types that bypass frontend restrictions.'}, {'type': 'paragraph', 'content': 'One approach is to intercept and analyze upload requests using tools like Burp Suite to verify if files with extensions such as .html, .svg, .php, .exe, .msi, .bat, .cmd, or double extensions (e.g., payload.png.html) are being accepted by the backend.'}, {'type': 'paragraph', 'content': 'On the server, you can list recently uploaded files and check for unexpected file extensions or content types by running commands like:'}, {'type': 'list_item', 'content': 'find /path/to/upload/directory -type f \\( -name "*.html" -o -name "*.svg" -o -name "*.php" -o -name "*.exe" -o -name "*.msi" -o -name "*.bat" -o -name "*.cmd" \\)'}, {'type': 'list_item', 'content': "file /path/to/upload/directory/* | grep -iE 'HTML|SVG|executable|script'"}, {'type': 'paragraph', 'content': 'Additionally, reviewing web server logs for requests that upload files with suspicious extensions or unusual content types can help detect exploitation attempts.'}] [1]
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include implementing backend validation of uploaded files to enforce file extension and MIME type restrictions, as the current enforcement only occurs at the UI level and can be bypassed.
Specifically, you should:
- Add server-side checks to validate file extensions against an allowlist before accepting uploads.
- Verify MIME types and file content to ensure they match expected safe file types.
- Sanitize file names to prevent double extensions or other tricks used to bypass filters.
- Restrict upload permissions to trusted users and monitor upload activity closely.
Until a patched version is available, consider disabling file uploads or restricting the feature to trusted administrators only to reduce risk.