CVE-2026-25737 HIGH

CVE-2026-25737: Budibase Arbitrary File Upload Leading to Multiple Critical Vulnerabilities (SSRF, Stored XSS)

Vendor Budibase
Product budibase
Weakness CWE-602 · Client-side enforcement
Published March 9, 2026
Last update March 9, 2026

CVSS base score

8.9/10
Attack vector Network
Attack complexity Low
Privileges required Low
User interaction Required
Confidentiality High
Integrity High

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:L

What the vulnerability does

01Description

Budibase is a low code platform for creating internal tools, workflows, and admin panels. In 3.24.0 and earlier, an arbitrary file upload vulnerability exists even though file extension restrictions are configured. The restriction is enforced only at the UI level. An attacker can bypass these restrictions and upload malicious files.

Key dates

02Disclosure timeline

March 9, 2026 CVE published
March 9, 2026 Record updated