Executive Summary

CVE-2026-25737 is a critical arbitrary file upload vulnerability in Budibase version 3.24.0 and earlier. Although the platform enforces file extension restrictions at the user interface level to allow only safe file types, these restrictions are not enforced on the backend. This means an attacker can bypass the UI checks by intercepting and modifying upload requests to upload malicious files with disallowed extensions such as .html, .svg, .php, .exe, and others.

Once uploaded, these malicious files are stored and accessible without proper validation of their extension, MIME type, or content. This enables several critical attacks including stored cross-site scripting (XSS), malware distribution, and server-side request forgery (SSRF). For example, an attacker can upload a malicious SVG or HTML file containing JavaScript that executes when viewed by users, leading to session theft or account takeover.

Useful 0 Not Useful 0

Impact Analysis

This vulnerability can have severe impacts including:

• Account takeover through stored cross-site scripting (XSS) by executing malicious scripts when users view uploaded files.
• Malware distribution by uploading executable files that can be shared and executed by users.
• Server-Side Request Forgery (SSRF) attacks where malicious files force the server to make unauthorized requests to internal or attacker-controlled resources, potentially exposing sensitive internal systems.
• Data theft and privacy breaches due to unauthorized access and execution of malicious payloads.

Useful 0 Not Useful 0

Compliance Impact

I don't know

Useful 0 Not Useful 0

Detection Guidance

[{'type': 'paragraph', 'content': 'This vulnerability can be detected by monitoring file upload requests to the Budibase application and checking for files with disallowed extensions or suspicious MIME types that bypass frontend restrictions.'}, {'type': 'paragraph', 'content': 'One approach is to intercept and analyze upload requests using tools like Burp Suite to verify if files with extensions such as .html, .svg, .php, .exe, .msi, .bat, .cmd, or double extensions (e.g., payload.png.html) are being accepted by the backend.'}, {'type': 'paragraph', 'content': 'On the server, you can list recently uploaded files and check for unexpected file extensions or content types by running commands like:'}, {'type': 'list_item', 'content': 'find /path/to/upload/directory -type f \\( -name "*.html" -o -name "*.svg" -o -name "*.php" -o -name "*.exe" -o -name "*.msi" -o -name "*.bat" -o -name "*.cmd" \\)'}, {'type': 'list_item', 'content': "file /path/to/upload/directory/* | grep -iE 'HTML|SVG|executable|script'"}, {'type': 'paragraph', 'content': 'Additionally, reviewing web server logs for requests that upload files with suspicious extensions or unusual content types can help detect exploitation attempts.'}] [1]

Useful 0 Not Useful 0

Mitigation Strategies

Immediate mitigation steps include implementing backend validation of uploaded files to enforce file extension and MIME type restrictions, as the current enforcement only occurs at the UI level and can be bypassed.

Specifically, you should:

• Add server-side checks to validate file extensions against an allowlist before accepting uploads.
• Verify MIME types and file content to ensure they match expected safe file types.
• Sanitize file names to prevent double extensions or other tricks used to bypass filters.
• Restrict upload permissions to trusted users and monitor upload activity closely.

Until a patched version is available, consider disabling file uploads or restricting the feature to trusted administrators only to reduce risk.

Useful 0 Not Useful 0