Budibase: Path traversal in plugin file upload enables arbitrary directory deletion and file write
- Severity:
- High
Description
The plugin file upload endpoint (POST /api/plugin/upload) passes the user-supplied filename directly to createTempFolder() without sanitizing path traversal sequences. An attacker with Global Builder privileges can craft a multipart upload with a filename containing ../ to delete arbitrary directories via rmSync and write arbitrary files via tarball extraction to any filesystem path the Node.
Recommendation
Update the @budibase/server package to the latest compatible version. Followings are version details:
- Affected version(s): < 3.33.4
- Patched version(s): 3.33.4
References
Related Issues
- Saltcorn has an Unauthenticated Path Traversal in sync endpoints, allowing arbitrary file write and directory read - CVE-2026-40163
- SillyTavern has a path traversal in `/api/chats/import` allows arbitrary file write outside intended chat directory - CVE-2026-34522
- @mobilenext/mobile-mcp alllows arbitrary file write via Path Traversal in mobile screen capture tools - CVE-2026-33989
- ApostropheCMS has Arbitrary File Write (Zip Slip / Path Traversal) in Import-Export Gzip Extraction - CVE-2026-32731
You might also like:
- Tags:
- npm
- @budibase/server
Anything's wrong? Let us know Last updated on April 04, 2026


