Is there a public PoC exploit available for CVE-2026-25099?

Yes, a public proof-of-concept exploit is available for CVE-2026-25099. Prioritise patching immediately. EPSS: 0.4%.

How to fix or mitigate CVE-2026-25099?

Within 24 hours: Identify all Bludit CMS deployments and document current versions in use. Within 7 days: Upgrade all instances to Bludit CMS 3.18.4 or later; rotate all API tokens immediately before and after patching. Within 30 days: Audit API token usage logs for suspicious file upload activity prior to patch date and implement network access controls to restrict API endpoint exposure.

CVE-2026-25099

Q: What is the CVSS score of CVE-2026-25099?

CVE-2026-25099 has a CVSS 4.0 base score of 8.7 (High). CVSS vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:L/SI:L/SA:L/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X. EPSS exploitation probability: 0.4%.

EUVD-2026-16577 HIGH

Unrestricted Upload of File with Dangerous Type (CWE-434)

2026-03-27 CERT-PL

RCE File Upload

8.7

CVSS 4.0

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:L/SI:L/SA:L/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Attack Vector

Network

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Lifecycle Timeline

Analysis Updated

Apr 16, 2026 - 06:12 EUVD-patch-fix

executive_summary

Re-analysis Queued

Apr 16, 2026 - 05:29 backfill_euvd_patch

patch_released

Patch available

Apr 16, 2026 - 05:29 EUVD

3.18.4

EUVD ID Assigned

Mar 27, 2026 - 12:15 euvd

EUVD-2026-16577

Analysis Generated

Mar 27, 2026 - 12:15 vuln.today

CVE Published

Mar 27, 2026 - 11:55 nvd

HIGH 8.7

DescriptionNVD

Bludit’s API plugin allows an authenticated attacker with a valid API token to upload files of any type and extension without restriction, which can then be executed, leading to Remote Code Execution.

This issue was fixed in 3.18.4.

AnalysisAI

Remote code execution in Bludit CMS versions prior to 3.18.4 allows authenticated attackers holding valid API tokens to upload and execute arbitrary files through the API plugin's unrestricted file upload mechanism. The vulnerability has a CVSS 4.0 score of 8.7 with network attack vector and low complexity, requires authenticated access (PR:L), and was reported by CERT-PL. …

RemediationAI

Within 24 hours: Identify all Bludit CMS deployments and document current versions in use. Within 7 days: Upgrade all instances to Bludit CMS 3.18.4 or later; rotate all API tokens immediately before and after patching. …

Analysis

Detailed AI-generated intelligence summary covering attack vector, impact assessment, affected versions, remediation steps, and indicators of compromise.

POChttps://••••••••••.com/exploit

PATCHhttps://••••••••••.com/patch

ADVISORYhttps://••••••••••.com/advisory

Full analysis requires sign-in

Get intelligence summaries, risk assessment, exploit details, threat intel, and remediation guidance.

CVE-2026-25099 vulnerability details – vuln.today

Back

CVE-2026-25099

CVSS VectorNVD

Lifecycle Timeline

DescriptionNVD

AnalysisAI

RemediationAI

Analysis

Full analysis requires sign-in

Share

CVE-2026-25099

CVSS VectorNVD

Lifecycle Timeline

DescriptionNVD

AnalysisAI

RemediationAI

Full analysis requires sign-in

Share

External POC / Exploit Code