Home / Vulnerability Intelligence / CVE-2026-35214

CVE-2026-35214 - Vulnerability Analysis

HighCVSS: 8.7

Last Updated: April 3, 2026

Budibase - Path Traversal

Published: April 3, 2026Updated: April 3, 2026Remote Exploitable

Overview

Budibase < 3.33.4 contains a path traversal caused by unsanitized filename in plugin file upload endpoint, letting attackers with Global Builder privileges delete or write arbitrary files, exploit requires Global Builder privileges.

Severity & Score

Severity: High

CVSS Score: 8.7

EPSS Score: 11.2%(Probability of exploitation in next 30 days)

Impact

Attackers with Global Builder privileges can delete or write arbitrary files, potentially leading to full system compromise.

Mitigation

Update to version 3.33.4 or later.

References

Social Media Activity(1 post)

TheHackerWire

@thehackerwire

Apr 4, 2026

🟠 CVE-2026-35214 - High (8.7) Budibase is an open-source low-code platform. Prior to version 3.33.4, the plugin file upload endpoint (POST /api/plugin/upload) passes the user-supplied filename directly to createTempFolder() without sanitizing path traversal sequences. An attac... 🔗 https://www.thehackerwire.com/vulnerability/CVE-2026-35214/ #CVE #vulnerability #infosec #cybersecurity #security #Tenda #patchstack

View original post

Related Resources

Details

CVE ID: CVE-2026-35214
Severity: High
CVSS Score: 8.7
Type: path_traversal
Status: new
EPSS: 11.2%
Social Posts: 1

CWE

CWE-22

CVSS Metrics

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:N/I:H/A:H

EPSS Score

11.2%Probability of exploitation in the next 30 days