Stored XSS Vulnerability in Budibase Low-Code Platform
CVE-2026-46426

7.6HIGH

Key Information:

Vendor: Budibase
Status: Budibase
Vendor: CVE Published:; 27 May 2026

What is CVE-2026-46426?

Budibase, an open-source low-code platform, has a vulnerability that allows authenticated users to upload dangerous files via the file upload endpoint. The lack of effective content restrictions means that SVG files containing inline tags and other executable web content can be uploaded without proper checks. This results in stored persistent XSS, where malicious scripts are executed in the browsers of all application end users upon accessing the files. The vulnerability has been addressed in version 3.38.2.

Affected Version(s)

budibase < 3.38.2

References

https://github.com/Budibase/budibase/security/advisories/...

x_refsource_CONFIRM

https://github.com/Budibase/budibase/releases/tag/3.38.2

x_refsource_MISC

CVSS V3.1

Score:

7.6

Severity:

HIGH

Confidentiality:

High

Integrity:

Low

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

Required

Scope:

Changed

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
May 27, 2026
Vulnerability Reserved
May 13, 2026

CVE-2026-46426 Data

JSON