TROYANOSYVIRUS
Zuruck zu CVEs

CVE-2026-30240

CRITICAL
9.6

Beschreibung

Budibase is a low code platform for creating internal tools, workflows, and admin panels. In 3.31.5 and earlier, a path traversal vulnerability in the PWA (Progressive Web App) ZIP processing endpoint (POST /api/pwa/process-zip) allows an authenticated user with builder privileges to read arbitrary files from the server filesystem, including /proc/1/environ which contains all environment variables — JWT secrets, database credentials, encryption keys, and API tokens. The server reads attacker-specified files via unsanitized path.join() with user-controlled input from icons.json inside the uploaded ZIP, then uploads the file contents to the object store (MinIO/S3) where they can be retrieved through signed URLs. This results in complete platform compromise as all cryptographic secrets and service credentials are exfiltrated in a single request.

CVE Details

CVSS v3.1 Bewertung9.6
SchweregradCRITICAL
CVSS VektorCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:N
AngriffsvektorNETWORK
KomplexitatLOW
Erforderliche PrivilegienLOW
BenutzerinteraktionNONE
Veroffentlicht3/9/2026
Zuletzt geandert3/13/2026
Quellenvd
Honeypot-Sichtungen0

Betroffene Produkte

budibase:budibase

Schwachen (CWE)

CWE-22CWE-73

Referenzen

https://github.com/Budibase/budibase/security/advisories/GHSA-pqcr-jmfv-c9cp(security-advisories@github.com)
https://github.com/Budibase/budibase/security/advisories/GHSA-pqcr-jmfv-c9cp(134c704f-9b21-4f2e-91b3-4a467353bcc0)

IOC Korrelationen

Keine Korrelationen erfasst

This product uses data from the NVD API but is not endorsed or certified by the NVD.