CVE-2026-46426

by Fred · 27/05/2026

Budibase is an open-source low-code platform. Prior to 3.38.2, the file upload endpoint POST /api/attachments/process does not enforce active-content restrictions for authenticated users. The checks for dangerous file extensions are conditionally wrapped inside if (isPublicUser) or if (isPublicUser || !env.SELF_HOSTED), meaning any authenticated builder can upload executable web content — SVG files with inline

More information : https://github.com/Budibase/budibase/releases/tag/3.38.2

CVE-2026-46426

Similar

Recent Posts

Categories

CVE-2026-46426

Share this:

Similar

Recent Posts

Categories

Tags