CVE-2026-25099 | THREATINT

Description

Bludit’s API plugin allows an authenticated attacker with a valid API token to upload files of any type and extension without restriction, which can then be executed, leading to Remote Code Execution. This issue was fixed in 3.18.4.

PUBLISHED Reserved 2026-01-29 | Published 2026-03-27 | Updated 2026-03-27 | Assigner CERT-PL

HIGH: 8.7CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:L/SI:L/SA:L

Problem types

CWE-434 Unrestricted Upload of File with Dangerous Type

Product status

Default status

unaffected

Any version before 3.18.4

affected

Credits

Arkadiusz Marta finder

References

cert.pl/posts/2026/03/CVE-2026-25099 third-party-advisory

github.com/bludit/bludit/releases/tag/3.18.4 release-notes

cve.org (CVE-2026-25099)

nvd.nist.gov (CVE-2026-25099)

Download JSON