CVE-2025-26260 | THREATINT

Description

Plenti <= 0.7.16 is vulnerable to code execution. Users uploading '.svelte' files with the /postLocal endpoint can define the file name as javascript codes. The server executes the uploaded file name in host, and cause code execution.

PUBLISHED Reserved 2025-02-07 | Published 2025-03-12 | Updated 2025-03-19 | Assigner mitre

References

github.com/...plenti/security/advisories/GHSA-mj4v-hp69-27x5 exploit

github.com/...plenti/security/advisories/GHSA-mj4v-hp69-27x5

github.com/plentico/plenti/releases/tag/v0.7.17

github.com/...ree/main/vulnerability-research/CVE-2025-26260

ahmetakan.com/2025/02/14/cve-2025-26260/

cve.org (CVE-2025-26260)

nvd.nist.gov (CVE-2025-26260)

Download JSON