{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-46426", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-05-13T22:18:22.829Z", "datePublished": "2026-05-27T17:04:42.080Z", "dateUpdated": "2026-05-27T18:02:00.561Z"}, "containers": {"cna": {"title": "Budibase: Unrestricted Upload of File with Dangerous Type", "problemTypes": [{"descriptions": [{"cweId": "CWE-79", "lang": "en", "description": "CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", "type": "CWE"}]}, {"descriptions": [{"cweId": "CWE-434", "lang": "en", "description": "CWE-434: Unrestricted Upload of File with Dangerous Type", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.6, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:L/A:N", "version": "3.1"}}], "references": [{"name": "https://github.com/Budibase/budibase/security/advisories/GHSA-82rc-gxrg-v4gf", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/Budibase/budibase/security/advisories/GHSA-82rc-gxrg-v4gf"}, {"name": "https://github.com/Budibase/budibase/releases/tag/3.38.2", "tags": ["x_refsource_MISC"], "url": "https://github.com/Budibase/budibase/releases/tag/3.38.2"}], "affected": [{"vendor": "Budibase", "product": "budibase", "versions": [{"version": "< 3.38.2", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-05-27T17:04:42.080Z"}, "descriptions": [{"lang": "en", "value": "Budibase is an open-source low-code platform. Prior to 3.38.2, the file upload endpoint POST /api/attachments/process does not enforce active-content restrictions for authenticated users. The checks for dangerous file extensions are conditionally wrapped inside if (isPublicUser) or if (isPublicUser || !env.SELF_HOSTED), meaning any authenticated builder can upload executable web content \u2014 SVG files with inline <script> tags, HTML pages with JavaScript, .js modules \u2014 which are then stored in the object store (MinIO/S3) with their correct MIME types. When the resulting signed URL is opened by any app user, the browser executes the payload. Impact is persistent stored XSS over all application end users. This vulnerability is fixed in 3.38.2."}], "source": {"advisory": "GHSA-82rc-gxrg-v4gf", "discovery": "UNKNOWN"}}, "adp": [{"references": [{"url": "https://github.com/Budibase/budibase/security/advisories/GHSA-82rc-gxrg-v4gf", "tags": ["exploit"]}], "metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-05-27T18:01:32.331508Z", "id": "CVE-2026-46426", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-05-27T18:02:00.561Z"}}]}}

{}

{}

{}

{}