CVE-2026-35214

Name of the Vulnerable Software and Affected Versions Budibase versions prior to 3.33.4

Description Budibase is an open-source low-code platform. The plugin file upload endpoint, ''/api/plugin/upload'', passes user-supplied filenames directly to the createTempFolder() function without sanitizing path traversal sequences. An attacker with Global Builder privileges can craft a multipart upload with a filename containing '../' to delete arbitrary directories using rmSync and write arbitrary files via tarball extraction to any filesystem path the Node.js process can access.

Recommendations Update to version 3.33.4 or later.