CVE-2026-25737
Published: 09 March 2026
Summary
CVE-2026-25737 is a high-severity Client-Side Enforcement of Server-Side Security (CWE-602) vulnerability in Budibase Budibase. Its CVSS base score is 8.9 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 18.7th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-9 (Information Input Restrictions).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Server-side validation of file uploads directly prevents attackers from bypassing UI-level file extension restrictions and uploading arbitrary malicious files.
Server-side restrictions on file types and quantities block unauthorized file uploads that circumvent client-side controls.
Malicious code protection mechanisms scan uploaded files in real-time or periodically, identifying and mitigating execution of malicious content even if uploaded.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Arbitrary file upload (client-side bypass only) in internet-facing Budibase directly enables T1190 exploitation for initial access and code execution; the same primitive facilitates T1505.003 by allowing upload of web-shell payloads that run on the server.
NVD Description
Budibase is a low code platform for creating internal tools, workflows, and admin panels. In 3.24.0 and earlier, an arbitrary file upload vulnerability exists even though file extension restrictions are configured. The restriction is enforced only at the UI level.…
more
An attacker can bypass these restrictions and upload malicious files.
Deeper analysisAI
CVE-2026-25737 is an arbitrary file upload vulnerability in Budibase, an open-source low-code platform for building internal tools, workflows, and admin panels. The issue affects versions 3.24.0 and earlier, where file extension restrictions are enforced only at the user interface level, allowing attackers to bypass these controls and upload malicious files to the server.
The vulnerability has a CVSS v3.1 base score of 8.9 (AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:L), indicating it can be exploited over the network with low complexity by an authenticated user with low privileges, requiring some user interaction. Successful exploitation enables high confidentiality and integrity impacts with a scope change, potentially allowing attackers to upload and execute malicious files, leading to server compromise.
For mitigation details, refer to the official Budibase security advisory at https://github.com/Budibase/budibase/security/advisories/GHSA-2hfr-343j-863r, which covers patches and remediation steps. The vulnerability is associated with CWEs-602 (client-side enforcement of server-side security), CWE-79 (cross-site scripting), and CWE-918 (server-side request forgery).
Details
- CWE(s)