CVE-2025-26260

High CVSS: 8.8

Plenti <= 0.7.16 is vulnerable to code execution. Users uploading '.svelte' files with the /postLocal endpoint can define the file name as javascript codes. The server executes the uploaded file name in host, and cause code execution.

Vendor

Plenti

Product

Plenti

CWE

CWE-94

Yayın Tarihi

2025-03-12 16:15:23

Güncelleme

2025-10-02 15:55:48

Source Identifier

cve@mitre.org

KEV Date Added

Kategoriler

CWE-94 Plenti HIGH Plenti 2025

Referanslar

https://ahmetakan.com/2025/02/14/cve-2025-26260/ https://github.com/ahmetak4n/vulnerability-playground/tree/main/vulnerability-research/CVE-2025-26260 https://github.com/plentico/plenti/releases/tag/v0.7.17 https://github.com/plentico/plenti/security/advisories/GHSA-mj4v-hp69-27x5 https://github.com/plentico/plenti/security/advisories/GHSA-mj4v-hp69-27x5