CVE-2026-30240

HIGH EPSS 18.3%

Published Mar 9, 20263mo ago · Modified Jun 17, 20261w ago

8.1 CVSS 3.1

High

Published Mar 9, 2026 3mo ago

Last Modified Jun 17, 2026 1w ago

Description

Budibase is a low code platform for creating internal tools, workflows, and admin panels. In 3.31.5 and earlier, a path traversal vulnerability in the PWA (Progressive Web App) ZIP processing endpoint (POST /api/pwa/process-zip) allows an authenticated user with builder privileges to read arbitrary files from the server filesystem, including /proc/1/environ which contains all environment variables — JWT secrets, database credentials, encryption keys, and API tokens. The server reads attacker-specified files via unsanitized path.join() with user-controlled input from icons.json inside the uploaded ZIP, then uploads the file contents to the object store (MinIO/S3) where they can be retrieved through signed URLs. This results in complete platform compromise as all cryptographic secrets and service credentials are exfiltrated in a single request.

CVSS Details

Base Score

8.1

Exploitability

2.8

Impact

5.2

Vector string

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N

Attack Vector Network

Attack Complexity Low

Privileges Required Low

User Interaction None

Scope Unchanged

Confidentiality High

Integrity High

Availability None

Threat Intelligence

EPSS Exploit Probability

18.3% percentile

Exploit & Patch Status

Public Exploit Known

No Patch Available

Weaknesses 2

CWE-22 Path Traversal Resource Mgmt

CWE-73

Affected Products 1

Vendor	Product	Version	Range
budibase	budibase	*	≤3.31.5

References 1

github.com https://github.com/Budibase/budibase/security/advisories/GHSA-pqcr-jmfv-c9cp

ExploitVendor Advisory

Remediation

No remediation data recorded yet

Check vendor advisories and the NVD entry for patch availability.