TROYANOSYVIRUS
Voltar para CVEs

CVE-2026-30240

CRITICAL
9.6

Descricao

Budibase is a low code platform for creating internal tools, workflows, and admin panels. In 3.31.5 and earlier, a path traversal vulnerability in the PWA (Progressive Web App) ZIP processing endpoint (POST /api/pwa/process-zip) allows an authenticated user with builder privileges to read arbitrary files from the server filesystem, including /proc/1/environ which contains all environment variables — JWT secrets, database credentials, encryption keys, and API tokens. The server reads attacker-specified files via unsanitized path.join() with user-controlled input from icons.json inside the uploaded ZIP, then uploads the file contents to the object store (MinIO/S3) where they can be retrieved through signed URLs. This results in complete platform compromise as all cryptographic secrets and service credentials are exfiltrated in a single request.

Detalhes CVE

Pontuacao CVSS v3.19.6
SeveridadeCRITICAL
Vetor CVSSCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:N
Vetor de ataqueNETWORK
ComplexidadeLOW
Privilegios necessariosLOW
Interacao do usuarioNONE
Publicado3/9/2026
Ultima modificacao3/13/2026
Fontenvd
Avistamentos honeypot0

Produtos afetados

budibase:budibase

Fraquezas (CWE)

CWE-22CWE-73

Referencias

https://github.com/Budibase/budibase/security/advisories/GHSA-pqcr-jmfv-c9cp(security-advisories@github.com)
https://github.com/Budibase/budibase/security/advisories/GHSA-pqcr-jmfv-c9cp(134c704f-9b21-4f2e-91b3-4a467353bcc0)

Correlacoes IOC

Sem correlacoes registradas

This product uses data from the NVD API but is not endorsed or certified by the NVD.