CVE-2026-46426

Name of the Vulnerable Software and Affected Versions Budibase versions prior to 3.38.2

Description The file upload endpoint "/api/attachments/process" does not enforce active-content restrictions for authenticated users. The system fails to properly check for dangerous file extensions when the user is not a public user or when the environment is self-hosted. This allows authenticated builders to upload executable web content, such as SVG files containing inline <script> tags, HTML pages with JavaScript, or .js modules. These files are stored in the object store with their original MIME types. When a signed URL to the uploaded file is opened by any application user, the browser executes the payload, resulting in persistent stored Cross-Site Scripting (XSS). The issue is located within the uploadFile() function.

Recommendations Update to version 3.38.2. As a temporary workaround, restrict access to the "/api/attachments/process" endpoint to minimize the risk of exploitation.