Remote Code Execution Vulnerability in Bludit's API Plugin
CVE-2026-25099

8.7HIGH

Key Information:

Vendor

Bludit

Status
Bludit
Vendor
CVE Published:
27 March 2026

What is CVE-2026-25099?

The Bludit's API plugin contains a critical vulnerability allowing authenticated users with a valid API token to upload files of any type and extension without any restrictions. This misconfiguration could enable attackers to execute arbitrary code on the server, posing serious security risks. The issue has been addressed in version 3.18.4, making it imperative for users to upgrade to this version to mitigate potential threats.

Affected Version(s)

Bludit 0 < 3.18.4

References

https://cert.pl/posts/2026/03/CVE-2026-25099
third-party-advisory
https://github.com/bludit/bludit/releases/tag/3.18.4
release-notes

CVSS V4

Score:
8.7
Severity:
HIGH
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Attack Required:
None
Privileges Required:
Undefined
User Interaction:
None

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

Arkadiusz Marta
.