2 matches found
CVE-2026-54352
Budibase has a high-severity arcane file-read issue via the PWA ZIP upload endpoint. Prior to 3.39.9, a workspace-builder could upload a ZIP containing a symlink to a root-available file (for example, /data/.env or /etc/shadow) and, because extract-zip preserves absolute targets and the icon vali...
CVE-2026-30240 Budibase PWA ZIP Upload Path Traversal Allows Reading Arbitrary Server Files Including All Environment Secrets
Budibase is a low code platform for creating internal tools, workflows, and admin panels. In 3.31.5 and earlier, a path traversal vulnerability in the PWA Progressive Web App ZIP processing endpoint POST /api/pwa/process-zip allows an authenticated user with builder privileges to read arbitrary...