CVE-2018-1000811

HIGH

Bludit 3.0.0 - Unrestricted Upload of File with Dangerous Type in Pages Editor

Title source: llm

Exploitation Summary

EIP tracks 1 public exploit for CVE-2018-1000811. PoCs published by BouSalman.

AI-analyzed exploit summary This exploit demonstrates an arbitrary file upload vulnerability in Bludit 3.0.0 via the Pages Editor. It uploads a malicious PHP file disguised as an image, allowing remote command execution via a GET parameter.

Description

bludit version 3.0.0 contains a Unrestricted Upload of File with Dangerous Type vulnerability in Content Upload in Pages Editor that can result in Remote Command Execution. This attack appear to be exploitable via malicious user have to upload a crafted payload containing PHP code.

Exploits (1)

exploitdb WORKING POC

by BouSalman · textwebappsphp

https://www.exploit-db.com/exploits/46060

View Code ZIP pw:eip

This exploit demonstrates an arbitrary file upload vulnerability in Bludit 3.0.0 via the Pages Editor. It uploads a malicious PHP file disguised as an image, allowing remote command execution via a GET parameter.

Classification

Working Poc 100%

Attack Type

Rce

Complexity

Trivial

Reliability

Reliable

Target: Bludit 3.0.0

Auth required

Prerequisites: Valid admin session (BLUDIT-KEY cookie) · CSRF token

MITRE ATT&CK

T1105 - Ingress Tool Transfer T1204 - User Execution T1505 - Server Software Component

devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (2)

Core 2

Core References

Third Party Advisory, VDB Entry exploit x_refsource_exploit-db

https://www.exploit-db.com/exploits/46060/

Exploit, Third Party Advisory x_refsource_misc

https://github.com/bludit/bludit/issues/812

Scores

CVSS v3 8.8

EPSS 0.4764

EPSS Percentile 98.7%

Attack Vector NETWORK

CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Details

CWE

CWE-434

Status published

Products (1)

bludit/bludit 3.0.0

Published Dec 20, 2018

Tracked Since Feb 18, 2026