CVE-2026-25099

High CVSS: 8.7

Bludit’s API plugin allows an authenticated attacker with a valid API token to upload files of any type and extension without restriction, which can then be executed, leading to Remote Code Execution.

This issue was fixed in 3.18.4.

Vendor

Bludit

Product

Bludit

CWE

CWE-434

Yayın Tarihi

2026-03-27 12:16:19

Güncelleme

2026-04-01 14:16:35

Source Identifier

cvd@cert.pl

KEV Date Added

Kategoriler

CWE-434 Bludit HIGH Bludit 2026

Referanslar

https://cert.pl/posts/2026/03/CVE-2026-25099 https://github.com/bludit/bludit/releases/tag/3.18.4

Benzer Kayıtlar

Medium

CVE-2026-25100

Bludit is vulnerable to Stored Cross-Site Scripting (XSS) in its image upload functionality. An authenticated attacker w…

Medium

CVE-2026-25101

Bludit allows user's session identifier to be set before authentication. The value of this session ID stays the same aft…

Medium

CVE-2026-27741

Bludit version 3.16.1 contains a cross-site request forgery (CSRF) vulnerability in the /admin/uninstall-plugin/ and /ad…

Medium

CVE-2026-27742

Bludit version 3.16.2 contains a stored cross-site scripting (XSS) vulnerability in the post content functionality. The…

High

CVE-2023-53907

Bludit versions before 3.13.1 contain an authenticated file download vulnerability in the Backup Plugin that allows logg…