CVE-2026-25737 — HIGH (8.9)

Q: How severe is CVE-2026-25737?

CVE-2026-25737 has been rated HIGH with a CVSS base score of 8.9/10. Review the CVSS metrics above for detailed severity breakdown.

Q: Is there a patch for CVE-2026-25737?

Check the references section above for vendor advisories and patch information. Affected products include: Budibase Budibase.

Vulnerability Description

Budibase is a low code platform for creating internal tools, workflows, and admin panels. In 3.24.0 and earlier, an arbitrary file upload vulnerability exists even though file extension restrictions are configured. The restriction is enforced only at the UI level. An attacker can bypass these restrictions and upload malicious files.

CVSS Score

8.9

HIGH

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:L

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

REQUIRED

Scope

CHANGED

Confidentiality

HIGH

Integrity

HIGH

Availability

LOW

Affected Products

Vendor	Product	Versions
Budibase	Budibase	<= 3.24.0

Related Weaknesses (CWE)

CWE-918 CWE-79 CWE-602

References

https://github.com/Budibase/budibase/security/advisories/GHSA-2hfr-343j-863rExploitVendor Advisory

FAQ

What is CVE-2026-25737?

CVE-2026-25737 is a vulnerability with a CVSS score of 8.9 (HIGH). Budibase is a low code platform for creating internal tools, workflows, and admin panels. In 3.24.0 and earlier, an arbitrary file upload vulnerability exists even though file extension restrictions a...

How severe is CVE-2026-25737?

CVE-2026-25737 has been rated HIGH with a CVSS base score of 8.9/10. Review the CVSS metrics above for detailed severity breakdown.

Is there a patch for CVE-2026-25737?

Check the references section above for vendor advisories and patch information. Affected products include: Budibase Budibase.