Home / Vulnerability Intelligence / CVE-2026-25737

CVE-2026-25737 - Vulnerability Analysis

HighCVSS: 8.9

Last Updated: March 11, 2026

Budibase - Unrestricted File Upload

Published: March 9, 2026Updated: March 11, 2026Remote Exploitable

Overview

Budibase <= 3.24.0 contains an unrestricted file upload vulnerability caused by enforcement of file extension restrictions only at the UI level, letting attackers upload malicious files, exploit requires bypassing UI restrictions.

Severity & Score

Severity: High

CVSS Score: 8.9

EPSS Score: 5.0%(Probability of exploitation in next 30 days)

Impact

Attackers can upload malicious files, potentially leading to remote code execution or system compromise.

Mitigation

Update to a version later than 3.24.0 or the latest available version.

References

https://github.com/Budibase/budibase/security/advisories/GHSA-2hfr-343j-863r

Social Media Activity(1 post)

TheHackerWire

@thehackerwire

Mar 9, 2026

🟠 CVE-2026-25737 - High (8.9) Budibase is a low code platform for creating internal tools, workflows, and admin panels. In 3.24.0 and earlier, an arbitrary file upload vulnerability exists even though file extension restrictions are configured. The restriction is enforced only... 🔗 https://www.thehackerwire.com/vulnerability/CVE-2026-25737/ #CVE #vulnerability #infosec #cybersecurity #security #Tenda #patchstack

View original post

Related Resources

Details

CVE ID: CVE-2026-25737
Severity: High
CVSS Score: 8.9
Type: unrestricted_file_upload
Status: unconfirmed
EPSS: 5.0%
Social Posts: 1

CWE

CWE-602

CVSS Metrics

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:L

EPSS Score

5.0%Probability of exploitation in the next 30 days