CVE-2026-25099

Remote Code Execution via Unrestricted File Upload in Bludit

Title source: cna

Description

Bludit’s API plugin allows an authenticated attacker with a valid API token to upload files of any type and extension without restriction, which can then be executed, leading to Remote Code Execution. This issue was fixed in 3.18.4.

Exploits (1)

nomisec

by yahiahamza · poc

https://github.com/yahiahamza/CVE-2026-25099

View Code ZIP pw:eip

References (2)

[Third Party Advisory] https://cert.pl/posts/2026/03/CVE-2026-25099

[Release Notes] https://github.com/bludit/bludit/releases/tag/3.18.4

Scores

EPSS 0.0041

EPSS Percentile 61.3%

Details

CWE

CWE-434

Status published

Products (1)

Bludit/Bludit < 3.18.4

Published Mar 27, 2026

Tracked Since Mar 29, 2026