{"resultsPerPage":1,"startIndex":0,"totalResults":1,"format":"NVD_CVE","version":"2.0","timestamp":"2026-05-06T17:01:19.395","vulnerabilities":[{"cve":{"id":"CVE-2026-30240","sourceIdentifier":"security-advisories@github.com","published":"2026-03-09T21:16:18.843","lastModified":"2026-03-13T17:46:41.427","vulnStatus":"Analyzed","cveTags":[],"descriptions":[{"lang":"en","value":"Budibase is a low code platform for creating internal tools, workflows, and admin panels. In 3.31.5 and earlier, a path traversal vulnerability in the PWA (Progressive Web App) ZIP processing endpoint (POST /api/pwa/process-zip) allows an authenticated user with builder privileges to read arbitrary files from the server filesystem, including /proc/1/environ which contains all environment variables — JWT secrets, database credentials, encryption keys, and API tokens. The server reads attacker-specified files via unsanitized path.join() with user-controlled input from icons.json inside the uploaded ZIP, then uploads the file contents to the object store (MinIO/S3) where they can be retrieved through signed URLs. This results in complete platform compromise as all cryptographic secrets and service credentials are exfiltrated in a single request."},{"lang":"es","value":"Budibase es una plataforma de bajo código para crear herramientas internas, flujos de trabajo y paneles de administración. En 3.31.5 y versiones anteriores, una vulnerabilidad de salto de ruta en el endpoint de procesamiento de ZIP de PWA (Progressive Web App) (POST /api/pwa/process-zip) permite a un usuario autenticado con privilegios de constructor leer archivos arbitrarios del sistema de archivos del servidor, incluido /proc/1/environ que contiene todas las variables de entorno — secretos JWT, credenciales de base de datos, claves de cifrado y tokens de API. El servidor lee archivos especificados por el atacante a través de path.join() no saneado con entrada controlada por el usuario desde icons.json dentro del ZIP subido, luego sube el contenido del archivo al almacén de objetos (MinIO/S3) donde pueden ser recuperados a través de URLs firmadas. Esto resulta en un compromiso completo de la plataforma ya que todos los secretos criptográficos y las credenciales de servicio son exfiltrados en una sola solicitud."}],"metrics":{"cvssMetricV31":[{"source":"security-advisories@github.com","type":"Secondary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:N","baseScore":9.6,"baseSeverity":"CRITICAL","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"LOW","userInteraction":"NONE","scope":"CHANGED","confidentialityImpact":"HIGH","integrityImpact":"HIGH","availabilityImpact":"NONE"},"exploitabilityScore":3.1,"impactScore":5.8},{"source":"nvd@nist.gov","type":"Primary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N","baseScore":8.1,"baseSeverity":"HIGH","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"LOW","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"HIGH","integrityImpact":"HIGH","availabilityImpact":"NONE"},"exploitabilityScore":2.8,"impactScore":5.2}]},"weaknesses":[{"source":"security-advisories@github.com","type":"Secondary","description":[{"lang":"en","value":"CWE-22"},{"lang":"en","value":"CWE-73"}]}],"configurations":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:a:budibase:budibase:*:*:*:*:*:*:*:*","versionEndIncluding":"3.31.5","matchCriteriaId":"085377C0-B471-44F3-B3D5-15E66046E33B"}]}]}],"references":[{"url":"https://github.com/Budibase/budibase/security/advisories/GHSA-pqcr-jmfv-c9cp","source":"security-advisories@github.com","tags":["Exploit","Vendor Advisory"]},{"url":"https://github.com/Budibase/budibase/security/advisories/GHSA-pqcr-jmfv-c9cp","source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","tags":["Exploit","Vendor Advisory"]}]}}]}