CVE-2026-35214
unknown
CVSS v3
—
CVSS v2
—
VIR risk
—
Description
Budibase: Path traversal in plugin file upload enables arbitrary directory deletion and file write
Predictions
Exploit likelihood
30%
Patch ETA
—
Heuristic predictions, AS-IS, for prioritization only.
Mitigations
No vendor mitigations ingested yet for this CVE. The mitigation-content worker queues fetches as references arrive — check back in a few minutes, or see the references list below.
Package impact
| Ecosystem | Package | Vulnerable | Fixed |
|---|---|---|---|
| npm | @budibase/server | <3.33.4 | 3.33.4 |
References
- https://github.com/Budibase/budibase/security/advisories/GHSA-2wfh-rcwf-wh23
- https://nvd.nist.gov/vuln/detail/CVE-2026-35214
- https://github.com/Budibase/budibase/pull/18240
- https://github.com/Budibase/budibase/commit/6344d06d703660fd05995e61d581593c2349c879
- https://github.com/Budibase/budibase
- https://github.com/Budibase/budibase/releases/tag/3.33.4
Verify integrity in audit chain (admin only). AS-IS.