Product
Budibase is vulnerable to Server-Side Request Forgery (SSRF) due to insufficient validation of the plugin URL upload endpoint (`/api/plugin`), which checks for the presence of `.tar.gz` as a substring, enabling attackers to potentially access internal services and sensitive information.