CVE-2026-46426: Budibase: Unrestricted Upload of File with Dangerous Type

May 19, 2026 (updated June 8, 2026)

The file upload endpoint POST /api/attachments/process does not enforce active-content restrictions for authenticated users. The checks for dangerous file extensions (html, svg, js, php, etc.) are conditionally wrapped inside if (isPublicUser) or if (isPublicUser || !env.SELF_HOSTED), meaning any authenticated builder can upload executable web content — SVG files with inline <script> tags, HTML pages with JavaScript, .js modules — which are then stored in the object store (MinIO/S3) with their correct MIME types (image/svg+xml, text/html, application/javascript). When the resulting signed URL is opened by any app user, the browser executes the payload.

Impact is persistent stored XSS over all application end users.

References

Code Behaviors & Features

Detect and mitigate CVE-2026-46426 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →