CVE-2026-30240

Name of the Vulnerable Software and Affected Versions Budibase versions prior to 3.31.5

Description Budibase is a low code platform used for creating internal tools, workflows, and admin panels. A path traversal flaw exists in the PWA (Progressive Web App) ZIP processing endpoint, specifically at /api/pwa/process-zip. This allows an authenticated user with builder privileges to access arbitrary files on the server filesystem. The server utilizes an unsanitized path.join() function with user-controlled input from icons.json within an uploaded ZIP file, leading to the ability to read sensitive files like /proc/1/environ, which contains environment variables including JWT secrets, database credentials, encryption keys, and API tokens. The file contents are then uploaded to an object store (MinIO/S3) and accessible via signed URLs, potentially resulting in complete platform compromise due to the exfiltration of cryptographic secrets and service credentials.

Recommendations Update Budibase to a version later than 3.31.5.