CVE-2026-38329 | THREATINT

Description

Bludit CMS before version 3.18.4 allows Remote Code Execution (RCE) via the API Plugin. The POST /api/files/{key} endpoint in bl-plugins/api/plugin.php fails to perform authorization checks and lacks file extension validation. An attacker with a valid API token can upload a malicious PHP script and execute arbitrary code on the server.

PUBLISHED Reserved 2026-04-06 | Published 2026-06-15 | Updated 2026-06-16 | Assigner mitre

References

gist.github.com/Ki1ro0133/8bd14bd4fc6fab81c907d838a7aeee55 exploit

gist.github.com/Ki1ro0133/8bd14bd4fc6fab81c907d838a7aeee55

cve.org (CVE-2026-38329)

nvd.nist.gov (CVE-2026-38329)

Download JSON