{"api_version":"1","generated_at":"2026-06-01T02:29:48+00:00","cve":"CVE-2026-46426","urls":{"html":"https://cve.report/CVE-2026-46426","api":"https://cve.report/api/cve/CVE-2026-46426.json","docs":"https://cve.report/api","cve_org":"https://www.cve.org/CVERecord?id=CVE-2026-46426","nvd":"https://nvd.nist.gov/vuln/detail/CVE-2026-46426"},"summary":{"title":"Budibase: Unrestricted Upload of File with Dangerous Type","description":"Budibase is an open-source low-code platform. Prior to 3.38.2, the file upload endpoint POST /api/attachments/process does not enforce active-content restrictions for authenticated users. The checks for dangerous file extensions are conditionally wrapped inside if (isPublicUser) or if (isPublicUser || !env.SELF_HOSTED), meaning any authenticated builder can upload executable web content — SVG files with inline <script> tags, HTML pages with JavaScript, .js modules — which are then stored in the object store (MinIO/S3) with their correct MIME types. When the resulting signed URL is opened by any app user, the browser executes the payload. Impact is persistent stored XSS over all application end users. This vulnerability is fixed in 3.38.2.","state":"PUBLISHED","assigner":"GitHub_M","published_at":"2026-05-27 18:16:26","updated_at":"2026-05-27 19:44:35"},"problem_types":["CWE-79","CWE-434","CWE-79 CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')","CWE-434 CWE-434: Unrestricted Upload of File with Dangerous Type"],"metrics":[{"version":"3.1","source":"security-advisories@github.com","type":"Secondary","score":"7.6","severity":"HIGH","vector":"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:L/A:N","data":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:L/A:N","baseScore":7.6,"baseSeverity":"HIGH","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"LOW","userInteraction":"REQUIRED","scope":"CHANGED","confidentialityImpact":"HIGH","integrityImpact":"LOW","availabilityImpact":"NONE"}},{"version":"3.1","source":"CNA","type":"DECLARED","score":"7.6","severity":"HIGH","vector":"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:L/A:N","data":{"attackComplexity":"LOW","attackVector":"NETWORK","availabilityImpact":"NONE","baseScore":7.6,"baseSeverity":"HIGH","confidentialityImpact":"HIGH","integrityImpact":"LOW","privilegesRequired":"LOW","scope":"CHANGED","userInteraction":"REQUIRED","vectorString":"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:L/A:N","version":"3.1"}}],"references":[{"url":"https://github.com/Budibase/budibase/security/advisories/GHSA-82rc-gxrg-v4gf","name":"https://github.com/Budibase/budibase/security/advisories/GHSA-82rc-gxrg-v4gf","refsource":"134c704f-9b21-4f2e-91b3-4a467353bcc0","tags":[],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://github.com/Budibase/budibase/releases/tag/3.38.2","name":"https://github.com/Budibase/budibase/releases/tag/3.38.2","refsource":"security-advisories@github.com","tags":[],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://www.cve.org/CVERecord?id=CVE-2026-46426","name":"CVE Program record","refsource":"CVE.ORG","tags":["canonical"]},{"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-46426","name":"NVD vulnerability detail","refsource":"NVD","tags":["canonical","analysis"]}],"affected":[{"source":"CNA","vendor":"Budibase","product":"budibase","version":"affected < 3.38.2","platforms":[]}],"timeline":[],"solutions":[],"workarounds":[],"exploits":[],"credits":[],"nvd_cpes":[],"vendor_comments":[],"enrichments":{"kev":null,"epss":{"cve_year":"2026","cve_id":"46426","cve":"CVE-2026-46426","epss":"0.000320000","percentile":"0.098990000","score_date":"2026-05-31","updated_at":"2026-06-01 00:08:19"},"legacy_qids":[]},"source_records":{"cve_program":{"containers":{"adp":[{"metrics":[{"other":{"content":{"id":"CVE-2026-46426","options":[{"Exploitation":"poc"},{"Automatable":"no"},{"Technical Impact":"partial"}],"role":"CISA Coordinator","timestamp":"2026-05-27T18:01:32.331508Z","version":"2.0.3"},"type":"ssvc"}}],"providerMetadata":{"dateUpdated":"2026-05-27T18:02:00.561Z","orgId":"134c704f-9b21-4f2e-91b3-4a467353bcc0","shortName":"CISA-ADP"},"references":[{"tags":["exploit"],"url":"https://github.com/Budibase/budibase/security/advisories/GHSA-82rc-gxrg-v4gf"}],"title":"CISA ADP Vulnrichment"}],"cna":{"affected":[{"product":"budibase","vendor":"Budibase","versions":[{"status":"affected","version":"< 3.38.2"}]}],"descriptions":[{"lang":"en","value":"Budibase is an open-source low-code platform. Prior to 3.38.2, the file upload endpoint POST /api/attachments/process does not enforce active-content restrictions for authenticated users. The checks for dangerous file extensions are conditionally wrapped inside if (isPublicUser) or if (isPublicUser || !env.SELF_HOSTED), meaning any authenticated builder can upload executable web content — SVG files with inline <script> tags, HTML pages with JavaScript, .js modules — which are then stored in the object store (MinIO/S3) with their correct MIME types. When the resulting signed URL is opened by any app user, the browser executes the payload. Impact is persistent stored XSS over all application end users. This vulnerability is fixed in 3.38.2."}],"metrics":[{"cvssV3_1":{"attackComplexity":"LOW","attackVector":"NETWORK","availabilityImpact":"NONE","baseScore":7.6,"baseSeverity":"HIGH","confidentialityImpact":"HIGH","integrityImpact":"LOW","privilegesRequired":"LOW","scope":"CHANGED","userInteraction":"REQUIRED","vectorString":"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:L/A:N","version":"3.1"}}],"problemTypes":[{"descriptions":[{"cweId":"CWE-79","description":"CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')","lang":"en","type":"CWE"}]},{"descriptions":[{"cweId":"CWE-434","description":"CWE-434: Unrestricted Upload of File with Dangerous Type","lang":"en","type":"CWE"}]}],"providerMetadata":{"dateUpdated":"2026-05-27T17:04:42.080Z","orgId":"a0819718-46f1-4df5-94e2-005712e83aaa","shortName":"GitHub_M"},"references":[{"name":"https://github.com/Budibase/budibase/security/advisories/GHSA-82rc-gxrg-v4gf","tags":["x_refsource_CONFIRM"],"url":"https://github.com/Budibase/budibase/security/advisories/GHSA-82rc-gxrg-v4gf"},{"name":"https://github.com/Budibase/budibase/releases/tag/3.38.2","tags":["x_refsource_MISC"],"url":"https://github.com/Budibase/budibase/releases/tag/3.38.2"}],"source":{"advisory":"GHSA-82rc-gxrg-v4gf","discovery":"UNKNOWN"},"title":"Budibase: Unrestricted Upload of File with Dangerous Type"}},"cveMetadata":{"assignerOrgId":"a0819718-46f1-4df5-94e2-005712e83aaa","assignerShortName":"GitHub_M","cveId":"CVE-2026-46426","datePublished":"2026-05-27T17:04:42.080Z","dateReserved":"2026-05-13T22:18:22.829Z","dateUpdated":"2026-05-27T18:02:00.561Z","state":"PUBLISHED"},"dataType":"CVE_RECORD","dataVersion":"5.2"},"nvd":{"publishedDate":"2026-05-27 18:16:26","lastModifiedDate":"2026-05-27 19:44:35","problem_types":["CWE-79","CWE-434","CWE-79 CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')","CWE-434 CWE-434: Unrestricted Upload of File with Dangerous Type"],"metrics":{"cvssMetricV31":[{"source":"security-advisories@github.com","type":"Secondary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:L/A:N","baseScore":7.6,"baseSeverity":"HIGH","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"LOW","userInteraction":"REQUIRED","scope":"CHANGED","confidentialityImpact":"HIGH","integrityImpact":"LOW","availabilityImpact":"NONE"},"exploitabilityScore":2.3,"impactScore":4.7}]},"configurations":[]},"legacy_mitre":{"record":{"CveYear":"2026","CveId":"46426","Ordinal":"1","Title":"Budibase: Unrestricted Upload of File with Dangerous Type","CVE":"CVE-2026-46426","Year":"2026"},"notes":[{"CveYear":"2026","CveId":"46426","Ordinal":"1","NoteData":"Budibase is an open-source low-code platform. Prior to 3.38.2, the file upload endpoint POST /api/attachments/process does not enforce active-content restrictions for authenticated users. The checks for dangerous file extensions are conditionally wrapped inside if (isPublicUser) or if (isPublicUser || !env.SELF_HOSTED), meaning any authenticated builder can upload executable web content — SVG files with inline <script> tags, HTML pages with JavaScript, .js modules — which are then stored in the object store (MinIO/S3) with their correct MIME types. When the resulting signed URL is opened by any app user, the browser executes the payload. Impact is persistent stored XSS over all application end users. This vulnerability is fixed in 3.38.2.","Type":"Description","Title":"Budibase: Unrestricted Upload of File with Dangerous Type"}]}}}