CVE-2026-46426
BaseFortify
Publication date: 2026-05-27
Last updated on: 2026-05-27
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| budibase | budibase | to 3.38.2 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-434 | The product allows the upload or transfer of dangerous file types that are automatically processed within its environment. |
| CWE-79 | The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability exists in Budibase, an open-source low-code platform, prior to version 3.38.2. The file upload endpoint POST /api/attachments/process does not properly enforce restrictions on active content for authenticated users. Specifically, checks for dangerous file extensions are only applied conditionally based on whether the user is public or the environment is self-hosted. As a result, any authenticated builder can upload executable web content such as SVG files containing inline script tags, HTML pages with JavaScript, or JavaScript modules. These files are stored with their correct MIME types in the object store (MinIO/S3). When other users open the resulting signed URL, the browser executes the malicious payload, leading to persistent stored cross-site scripting (XSS) affecting all application end users.
How can this vulnerability impact me? :
The vulnerability allows authenticated users to upload malicious executable web content that can be executed by other users' browsers when accessing the stored files. This results in persistent stored cross-site scripting (XSS), which can lead to unauthorized actions, data theft, session hijacking, or other malicious activities affecting all users of the application.
What immediate steps should I take to mitigate this vulnerability?
To mitigate this vulnerability, upgrade Budibase to version 3.38.2 or later, where the issue is fixed.
Until the upgrade is applied, restrict authenticated builder users from uploading executable web content such as SVG files with inline scripts, HTML pages with JavaScript, and .js modules.
Additionally, review and tighten file upload endpoint controls and consider disabling or limiting the use of signed URLs that allow execution of uploaded content.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
This vulnerability allows authenticated users to upload executable web content that can lead to persistent stored cross-site scripting (XSS) attacks affecting all application end users.
Such attacks can result in session cookie theft, full account takeover, and workspace takeover, which compromises the confidentiality and integrity of user data.
Because of these impacts on data confidentiality and user account security, the vulnerability could negatively affect compliance with data protection regulations like GDPR and HIPAA, which require safeguarding personal and sensitive information against unauthorized access and breaches.