CVE-2026-30240HIGH 8.1EPSS p18.1%

CVE-2026-30240CVE-2026-30240

Description

Budibase is a low code platform for creating internal tools, workflows, and admin panels. In 3.31.5 and earlier, a path traversal vulnerability in the PWA (Progressive Web App) ZIP processing endpoint (POST /api/pwa/process-zip) allows an authenticated user with builder privileges to read arbitrary files from the server filesystem, including /proc/1/environ which contains all environment variables — JWT secrets, database credentials, encryption keys, and API tokens. The server reads attacker-specified files via unsanitized path.join() with user-controlled input from icons.json inside the uploaded ZIP, then uploads the file contents to the object store (MinIO/S3) where they can be retrieved through signed URLs. This results in complete platform compromise as all cryptographic secrets and service credentials are exfiltrated in a single request.

Scoring

CVSS 3.18.1 (HIGH)
VectorCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N
EPSS0.27% probability of exploitation · percentile 18.1% · 2026-06-18T12:00:27Z
Published2026-03-09
Last modified2026-03-13

Underlying weaknesses· 2

CWE-22CWE-73

References

  1. https://github.com/Budibase/budibase/security/advisories/GHSA-pqcr-jmfv-c9cp
  2. https://github.com/Budibase/budibase/security/advisories/GHSA-pqcr-jmfv-c9cp

2

TypeTargetConfidenceTier
WeaknessImproper Limitation of a Pathname to a Restricted Directory ('Path Traversal')cwe-220%live
WeaknessExternal Control of File Name or Pathcwe-730%live

Related by meaning· 6

Nearest entities by semantic similarity across the cs-graph corpus.

CVE
CVE-2026-35214
CVE
CVE-2026-33226
CVE
CVE-2026-25737
CVE
CVE-2026-27702
CVE
CVE-2026-35216
CVE
CVE-2026-31816
Sourced from NVD + FIRST.org EPSS. Curated for EU compliance use cases by Adam Lundqvist, Founder at SQUR.