CVE-2026-46426

High

Published: 27 May 2026

Published

27 May 2026

Modified

27 May 2026

KEV Added

—

Patch

—

CVSS Score 7.6 CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:L/A:N

EPSS Score 0.0003 9.9th percentile

Risk Priority 15 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-46426 is a high-severity Cross-site Scripting (CWE-79) vulnerability. Its CVSS base score is 7.6 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Drive-by Compromise (T1189); ranked at the 9.9th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

Threat & Defense at a Glance

What attackers do: exploitation maps to Drive-by Compromise (T1189).

Threat & Defense Details

Likely Mitigating ControlsAI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

CA-8 Penetration Testing

addresses: CWE-79

Penetration testing submits XSS payloads to web applications, detecting cross-site scripting flaws for subsequent remediation.

MP-7 Media Use

addresses: CWE-434

Requiring identifiable owners for portable devices reduces the attack surface for unrestricted uploads of dangerous file types via anonymous media.

SC-44 Detonation Chambers

addresses: CWE-434

Dangerous file uploads can be detonated in the chamber to determine malice before any production write or execution occurs.

SC-51 Hardware-based Protection

addresses: CWE-434

Prevents unrestricted writing of arbitrary or malicious firmware by keeping hardware write-protect enabled except under tightly controlled manual procedures.

SI-10 Information Input Validation

addresses: CWE-79

Validates web inputs to reject script-related content that could produce XSS.

SI-15 Information Output Filtering

addresses: CWE-79

Output validation against expected content can reject or sanitize script content in generated web pages, reducing XSS exploitability.

SI-3 Malicious Code Protection

addresses: CWE-434

Scans files from external sources on download/open/execute, blocking unrestricted uploads of dangerous file types.

MITRE ATT&CK Enterprise TechniquesAI

T1189 Drive-by Compromise Initial Access

Adversaries may gain access to a system through a user visiting a website over the normal course of browsing.

attack.mitre.org →

Why these techniques?

Stored XSS via unrestricted malicious file uploads (SVG/HTML/JS) directly enables drive-by compromise of application users.

Confidence: MEDIUM · MITRE ATT&CK Enterprise v18.1

NVD Description

Budibase is an open-source low-code platform. Prior to 3.38.2, the file upload endpoint POST /api/attachments/process does not enforce active-content restrictions for authenticated users. The checks for dangerous file extensions are conditionally wrapped inside if (isPublicUser) or if (isPublicUser || !env.SELF_HOSTED),…

meaning any authenticated builder can upload executable web content — SVG files with inline <script> tags, HTML pages with JavaScript, .js modules — which are then stored in the object store (MinIO/S3) with their correct MIME types. When the resulting signed URL is opened by any app user, the browser executes the payload. Impact is persistent stored XSS over all application end users. This vulnerability is fixed in 3.38.2.

Deeper analysisAI

Automated synthesis unavailable for this CVE.

Details

CWE(s): CWE-79 CWE-434
OWASP Top 10 Web 2025: A05:2025 A06:2025

EU & UK References

🇪🇺 ENISA EUVD: EUVD-2026-32596

References

https://github.com/Budibase/budibase/releases/tag/3.38.2
security-advisories@github.com
https://github.com/Budibase/budibase/security/advisories/GHSA-82rc-gxrg-v4gf
security-advisories@github.com
https://github.com/Budibase/budibase/security/advisories/GHSA-82rc-gxrg-v4gf
134c704f-9b21-4f2e-91b3-4a467353bcc0