CVE-2026-25737
HIGHCVSS v3
8.9
HIGH
EPSS Score
0.1%
exploit probability
CISA KEV
No
known exploited
Exploitation
—
SSVC status
Description
Budibase is a low code platform for creating internal tools, workflows, and admin panels. In 3.24.0 and earlier, an arbitrary file upload vulnerability exists even though file extension restrictions are configured. The restriction is enforced only at the UI level. An attacker can bypass these restrictions and upload malicious files.
Technical Details
- CVSS v3 Vector
- 3.1
- Published
- 3/9/2026
- Last Modified
- 3/13/2026
Frequently Asked Questions
What is CVE-2026-25737?
Budibase is a low code platform for creating internal tools, workflows, and admin panels. In 3.24.0 and earlier, an arbitrary file upload vulnerability exists even though file extension restrictions are configured. The restriction is enforced only at the UI level. An attacker can bypass these restrictions and upload malicious files.
Is CVE-2026-25737 actively exploited?
Active exploitation of CVE-2026-25737 has not been confirmed. The EPSS score is 0.1%, indicating the estimated probability of exploitation in the next 30 days.
What is the CVSS score for CVE-2026-25737?
CVE-2026-25737 has a CVSS v3 base score of 8.9 (HIGH severity), with vector string 3.1.
Is CVE-2026-25737 affecting your environment?
Use isMalicious to check if any of your IPs or domains are associated with this vulnerability's IOCs.