A Server-Side Request Forgery (SSRF) vulnerability in Budibase, an open-source low-code platform, affects versions prior to 3.35.10. The vulnerability exists in the Plugin URL upload endpoint (POST /api/plugin) which performs insufficient URL validation using only a substring check for '.tar.gz'. This weak validation allows URLs containing '.tar.gz' anywhere in the string to pass validation without proper host, scheme, or path validation. While the default SSRF blacklist provides some protection, the vulnerability can be exploited in two scenarios: when chained with a BLACKLIST_IPS bypass or when HTTP redirects lead from external to internal targets. The issue has been fixed in version 3.35.10.