Skip to main content

Bludit CVE-2026-25099

| EUVDEUVD-2026-16577 HIGH
Unrestricted Upload of File with Dangerous Type (CWE-434)
2026-03-27 CERT-PL
8.7
CVSS 4.0 · NVD
Share

Severity by source

NVD PRIMARY
8.7 HIGH
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:L/SI:L/SA:L/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:L/SI:L/SA:L/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
X

Lifecycle Timeline

6
Analysis Updated
Apr 16, 2026 - 06:12 EUVD-patch-fix
executive_summary
Re-analysis Queued
Apr 16, 2026 - 05:29 backfill_euvd_patch
patch_released
Patch available
Apr 16, 2026 - 05:29 EUVD
3.18.4
EUVD ID Assigned
Mar 27, 2026 - 12:15 euvd
EUVD-2026-16577
Analysis Generated
Mar 27, 2026 - 12:15 vuln.today
CVE Published
Mar 27, 2026 - 11:55 nvd
HIGH 8.7

DescriptionCVE.org

Bludit’s API plugin allows an authenticated attacker with a valid API token to upload files of any type and extension without restriction, which can then be executed, leading to Remote Code Execution.

This issue was fixed in 3.18.4.

AnalysisAI

Remote code execution in Bludit CMS versions prior to 3.18.4 allows authenticated attackers holding valid API tokens to upload and execute arbitrary files through the API plugin's unrestricted file upload mechanism. The vulnerability has a CVSS 4.0 score of 8.7 with network attack vector and low complexity, requires authenticated access (PR:L), and was reported by CERT-PL. No public exploit identified at time of analysis, though the technical details are publicly disclosed.

Technical ContextAI

The vulnerability exists in Bludit CMS's API plugin component, as identified by CPE cpe:2.3:a:bludit:bludit:*:*:*:*:*:*:*:*. This represents CWE-434 (Unrestricted Upload of File with Dangerous Type), a critical flaw class where applications fail to validate file types, extensions, or content during upload operations. The API plugin lacks proper input validation and sanitization mechanisms to restrict uploaded file types, allowing attackers to bypass any extension or MIME-type checks. Once uploaded, these files can be accessed and executed by the web server if placed in web-accessible directories, converting a file upload weakness into remote code execution. The vulnerability specifically affects the API authentication flow, requiring attackers to possess valid API tokens rather than standard user credentials.

RemediationAI

Upgrade Bludit CMS to version 3.18.4 or later, which contains the vendor-released patch addressing the unrestricted file upload vulnerability. The patched version is available at https://github.com/bludit/bludit/releases/tag/3.18.4 with detailed release notes. Until patching is completed, organizations should disable the API plugin if not operationally required, implement strict network-level access controls limiting API endpoint access to trusted IP ranges, conduct immediate audit of existing API tokens to revoke unnecessary credentials, and monitor web server logs for suspicious file upload activity or execution of unexpected file types. Web application firewall rules can provide interim protection by blocking file uploads with executable extensions (.php, .phtml, .php5) to API endpoints, though this is not a complete substitute for applying the vendor patch.

More in Bludit

View all
CVE-2019-16113 HIGH POC
8.8 Sep 08

Bludit 3.9.2 allows remote code execution via bl-kernel/ajax/upload-images.php because PHP code can be entered with a .j

CVE-2019-17240 CRITICAL POC
9.8 Oct 06

bl-kernel/security.class.php in Bludit 3.9.2 allows attackers to bypass a brute-force protection mechanism by using many

CVE-2020-18190 CRITICAL POC
9.1 Oct 02

Bludit v3.8.1 is affected by directory traversal. Rated critical severity (CVSS 9.1), this vulnerability is remotely exp

CVE-2024-24551 HIGH POC
8.9 Jun 24

A security vulnerability has been identified in Bludit, allowing authenticated attackers to execute arbitrary code throu

CVE-2024-24550 HIGH POC
8.9 Jun 24

A security vulnerability has been identified in Bludit, allowing attackers with knowledge of the API token to upload arb

CVE-2023-31572 HIGH POC
8.8 May 16

An issue in Bludit 4.0.0-rc-2 allows authenticated attackers to change the Administrator password and escalate privilege

CVE-2018-1000811 HIGH POC
8.8 Dec 20

bludit version 3.0.0 contains a Unrestricted Upload of File with Dangerous Type vulnerability in Content Upload in Pages

CVE-2023-24674 HIGH POC
7.8 Sep 01

Permissions vulnerability found in Bludit CMS v.4.0.0 allows local attackers to escalate privileges via the role:admin p

CVE-2021-25808 HIGH POC
7.8 Jul 23

A code injection vulnerability in backup/plugin.php of Bludit 3.13.1 allows attackers to execute arbitrary code via a cr

CVE-2020-19228 HIGH POC
7.2 May 11

An issue was found in bludit v3.13.0, unsafe implementation of the backup plugin allows attackers to upload arbitrary fi

CVE-2021-35323 MEDIUM POC
6.1 Oct 19

Cross Site Scripting (XSS) vulnerability exists in bludit 3-13-1 via the username in admin/login. Rated medium severity

CVE-2018-16313 MEDIUM POC
6.1 Sep 01

Bludit 2.3.4 allows XSS via a user name. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, n

Share

CVE-2026-25099 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy