Path Traversal Vulnerability in Budibase Low-Code Platform
CVE-2026-35214
8.7HIGH
What is CVE-2026-35214?
Budibase, an open-source low-code platform, has a vulnerability in its plugin file upload endpoint. Before version 3.33.4, it improperly handles user-supplied filenames, allowing an attacker with Global Builder privileges to exploit path traversal sequences. By crafting a multipart upload request containing '../', the attacker can delete arbitrary directories and write files to any accessible filesystem path on the Node.js process. This critical flaw has been remedied in version 3.33.4, and it is crucial for users to update to this version to mitigate the risk.
Affected Version(s)
budibase < 3.33.4