CVE-2026-30240
中文标题:
(暂无数据)
英文标题:
Budibase is a low code platform for creating internal tools, workflows, and admin panels. In 3.31.5
漏洞描述
中文描述:
(暂无数据)
英文描述:
Budibase is a low code platform for creating internal tools, workflows, and admin panels. In 3.31.5 and earlier, a path traversal vulnerability in the PWA (Progressive Web App) ZIP processing endpoint (POST /api/pwa/process-zip) allows an authenticated user with builder privileges to read arbitrary files from the server filesystem, including /proc/1/environ which contains all environment variables — JWT secrets, database credentials, encryption keys, and API tokens. The server reads attacker-specified files via unsanitized path.join() with user-controlled input from icons.json inside the uploaded ZIP, then uploads the file contents to the object store (MinIO/S3) where they can be retrieved through signed URLs. This results in complete platform compromise as all cryptographic secrets and service credentials are exfiltrated in a single request.
CWE类型:
标签:
受影响产品
| 厂商 | 产品 | 版本 | 版本范围 | 平台 | CPE |
|---|---|---|---|---|---|
| budibase | budibase | * | - | - |
cpe:2.3:a:budibase:budibase:*:*:*:*:*:*:*:*
|
解决方案
中文解决方案:
英文解决方案:
临时解决方案:
参考链接
nvd.nist.gov
CVSS评分详情
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:N
时间信息
利用信息
数据源详情
| 数据源 | 记录ID | 版本 | 提取时间 |
|---|---|---|---|
| NVD | nvd_CVE-2026-30240 |
2026-03-10 02:00:06 | 2026-03-09 22:00:03 |
版本与语言
安全公告
变更历史
查看详细变更
- affected_products_count: 0 -> 1