AI Sec Watch: A Security Intelligence Platform for AI Systems

Luu, T.J.

GHSA-2wfh-rcwf-wh23: Budibase: Path traversal in plugin file upload enables arbitrary directory deletion and file write

highvulnerability

security

Source: GitHub Advisory DatabaseApril 4, 2026CVE-2026-35214

Summary

Budibase has a path traversal vulnerability in its plugin upload endpoint where user-supplied filenames are not sanitized before being passed to filesystem operations. An attacker with Global Builder privileges can craft an upload with filenames containing `../` sequences to delete arbitrary directories or write files anywhere on the system that the Node.js process can access, potentially causing data loss or denial of service (making the application unavailable).

Vulnerability Details

EPSS (30-day exploit probability)

EPSS: 0.0%

Patch Available

Yes

Disclosure Date

April 4, 2026

Classification

Attack SophisticationModerate

Affected Packages

@budibase/server@< 3.33.4 (fixed: 3.33.4)

Monthly digest — independent AI security research

Original source: https://github.com/advisories/GHSA-2wfh-rcwf-wh23

First tracked: April 4, 2026 at 08:00 AM

Classified by LLM (prompt v3) · confidence: 95%