{"dataType":"CVE_RECORD","dataVersion":"5.2","cveMetadata":{"cveId":"CVE-2026-30240","assignerOrgId":"a0819718-46f1-4df5-94e2-005712e83aaa","state":"PUBLISHED","assignerShortName":"GitHub_M","dateReserved":"2026-03-04T17:23:59.799Z","datePublished":"2026-03-09T20:50:09.129Z","dateUpdated":"2026-03-10T15:22:48.070Z"},"containers":{"cna":{"title":"Budibase PWA ZIP Upload Path Traversal Allows Reading Arbitrary Server Files Including All Environment Secrets","problemTypes":[{"descriptions":[{"cweId":"CWE-22","lang":"en","description":"CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')","type":"CWE"}]},{"descriptions":[{"cweId":"CWE-73","lang":"en","description":"CWE-73: External Control of File Name or Path","type":"CWE"}]}],"metrics":[{"cvssV3_1":{"attackComplexity":"LOW","attackVector":"NETWORK","availabilityImpact":"NONE","baseScore":9.6,"baseSeverity":"CRITICAL","confidentialityImpact":"HIGH","integrityImpact":"HIGH","privilegesRequired":"LOW","scope":"CHANGED","userInteraction":"NONE","vectorString":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:N","version":"3.1"}}],"references":[{"name":"https://github.com/Budibase/budibase/security/advisories/GHSA-pqcr-jmfv-c9cp","tags":["x_refsource_CONFIRM"],"url":"https://github.com/Budibase/budibase/security/advisories/GHSA-pqcr-jmfv-c9cp"}],"affected":[{"vendor":"Budibase","product":"budibase","versions":[{"version":"<= 3.31.5","status":"affected"}]}],"providerMetadata":{"orgId":"a0819718-46f1-4df5-94e2-005712e83aaa","shortName":"GitHub_M","dateUpdated":"2026-03-09T20:50:09.129Z"},"descriptions":[{"lang":"en","value":"Budibase is a low code platform for creating internal tools, workflows, and admin panels. In 3.31.5 and earlier, a path traversal vulnerability in the PWA (Progressive Web App) ZIP processing endpoint (POST /api/pwa/process-zip) allows an authenticated user with builder privileges to read arbitrary files from the server filesystem, including /proc/1/environ which contains all environment variables — JWT secrets, database credentials, encryption keys, and API tokens. The server reads attacker-specified files via unsanitized path.join() with user-controlled input from icons.json inside the uploaded ZIP, then uploads the file contents to the object store (MinIO/S3) where they can be retrieved through signed URLs. This results in complete platform compromise as all cryptographic secrets and service credentials are exfiltrated in a single request."}],"source":{"advisory":"GHSA-pqcr-jmfv-c9cp","discovery":"UNKNOWN"}},"adp":[{"references":[{"url":"https://github.com/Budibase/budibase/security/advisories/GHSA-pqcr-jmfv-c9cp","tags":["exploit"]}],"metrics":[{"other":{"type":"ssvc","content":{"timestamp":"2026-03-10T15:22:39.774967Z","id":"CVE-2026-30240","options":[{"Exploitation":"poc"},{"Automatable":"no"},{"Technical Impact":"total"}],"role":"CISA Coordinator","version":"2.0.3"}}}],"title":"CISA ADP Vulnrichment","providerMetadata":{"orgId":"134c704f-9b21-4f2e-91b3-4a467353bcc0","shortName":"CISA-ADP","dateUpdated":"2026-03-10T15:22:48.070Z"}}]}}