CVE-2026-25099 PUBLISHED

Remote Code Execution via Unrestricted File Upload in Bludit

Assigner: CERT-PL
Reserved: 29.01.2026 Published: 27.03.2026 Updated: 27.03.2026

Bludit’s API plugin allows an authenticated attacker with a valid API token to upload files of any type and extension without restriction, which can then be executed, leading to Remote Code Execution.

This issue was fixed in 3.18.4.

Metrics

CVSS Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:L/SI:L/SA:L
CVSS Score: 8.7

Product Status

Vendor Bludit
Product Bludit
Versions Default: unaffected
  • affected from 0 to 3.18.4 (excl.)

Affected Configurations

Bludit's API plugin is disabled by default. It needs to be manually enabled by an administrator.

Credits

  • Arkadiusz Marta finder

References

Problem Types

  • CWE-434 Unrestricted Upload of File with Dangerous Type CWE