CVE-2026-35214Budibase · Budibase
Vulnerability data via NVD (ingested)
Budibase is an open-source low-code platform. Prior to version 3.33.4, the plugin file upload endpoint (POST /api/plugin/upload) passes the user-supplied filename directly to createTempFolder() without sanitizing path traversal sequences. An attacker with Global Builder privileges can craft a multipart upload with a filename containing ../ to delete arbitrary directories via rmSync and write arbitrary files via tarball extraction to any filesystem path the Node.js process can access. This issue has been patched in version 3.33.4.
External references
Search for exposed instances
Shodan + Censys queries derived from NVD's CPE data. The vuln tag catches assets Shodan has explicitly linked to this CVE; the product / banner fingerprints find exposed instances even when the vuln tag was never applied (which is common).
vuln:CVE-2026-35214product:"Budibase Budibase"http.html:"Budibase"More intel sources (5)
vuln:CVE-2026-35214vulnerabilities.cve_id: CVE-2026-35214CVE-2026-35214CVE-2026-35214"CVE-2026-35214" exploit -site:nvd.nist.gov