HIGHCVE-2026-25099Published 2026-03-27Modified 2026-03-27CNA CERT-PL

CVE-2026-25099: Remote Code Execution via Unrestricted File Upload in Bludit

Bludit’s API plugin allows an authenticated attacker with a valid API token to upload files of any type and extension without restriction, which can then be executed, leading to Remote Code Execution. This issue was fixed in 3.18.4.

CVSS v4.0: 8.7
Severity: HIGH
Fixed in: 3.18.4
Affected Products: 1

Fix available

3.18.4

Affected packages

Bludit / Bludit
< 3.18.4 (from 0)

CVSS Vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:L/SI:L/SA:L

References

cert.pl
github.com

Metrics

Fix available