How to fix EUVD-2026-16577?

Within 24 hours: Audit all valid API tokens in use and rotate any with unknown ownership or excessive age; disable the API plugin if not actively required for business operations. Within 7 days: Identify all Bludit CMS instances and document their versions; prioritize inventory for versions below 3.18.4. Within 30 days: Upgrade all affected Bludit CMS installations to version 3.18.4 or later when released; if upgrade is blocked by compatibility issues, implement compensating controls (network segmentation, WAF rules blocking /api/v1/files endpoints, and API token restriction policies).

EUVD-2026-16577

| CVE-2026-25099 HIGH

2026-03-27 CERT-PL

8.7

CVSS 4.0

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:L/SI:L/SA:L/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Attack Vector

Network

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Lifecycle Timeline

EUVD ID Assigned

Mar 27, 2026 - 12:15 euvd

EUVD-2026-16577

Analysis Generated

Mar 27, 2026 - 12:15 vuln.today

CVE Published

Mar 27, 2026 - 11:55 nvd

HIGH 8.7

Description

Bludit’s API plugin allows an authenticated attacker with a valid API token to upload files of any type and extension without restriction, which can then be executed, leading to Remote Code Execution. This issue was fixed in 3.18.4.

Analysis

Remote code execution in Bludit CMS versions prior to 3.18.4 allows authenticated attackers holding valid API tokens to upload and execute arbitrary files through the API plugin's unrestricted file upload mechanism. The vulnerability has a CVSS 4.0 score of 8.7 with network attack vector and low complexity, requires authenticated access (PR:L), and was reported by CERT-PL. …

Remediation

Within 24 hours: Audit all valid API tokens in use and rotate any with unknown ownership or excessive age; disable the API plugin if not actively required for business operations. Within 7 days: Identify all Bludit CMS instances and document their versions; prioritize inventory for versions below 3.18.4. …

Analysis

Detailed AI-generated intelligence summary covering attack vector, impact assessment, affected versions, remediation steps, and indicators of compromise.

POChttps://••••••••••.com/exploit

PATCHhttps://••••••••••.com/patch

ADVISORYhttps://••••••••••.com/advisory

Full analysis requires sign-in

Get intelligence summaries, risk assessment, exploit details, threat intel, and remediation guidance.

Priority Score

Low Medium High Critical

KEV: 0

EPSS: +0.4

CVSS: +44

POC: 0

EUVD-2026-16577 vulnerability details – vuln.today

Back

EUVD-2026-16577

CVSS Vector

Lifecycle Timeline

Tags

Description

Analysis

Remediation

Analysis

Full analysis requires sign-in

Priority Score

Share

EUVD-2026-16577

CVSS Vector

Lifecycle Timeline

Tags

Description

Analysis

Remediation

Full analysis requires sign-in

Priority Score

Share

External POC / Exploit Code