CVE-2026-25099

HIGH

Remote Code Execution via Unrestricted File Upload in Bludit

Title source: cna

Exploitation Summary

EIP tracks 2 public exploits for CVE-2026-25099. PoCs published by yahia, yahiahamza.

AI-analyzed exploit summary This exploit demonstrates an authenticated file upload vulnerability in Bludit CMS API plugin, allowing an attacker with a valid API token to upload a PHP webshell and achieve remote code execution. The exploit automates the process of retrieving a page key, uploading the shell, and executing commands.

Description

Bludit’s API plugin allows an authenticated attacker with a valid API token to upload files of any type and extension without restriction, which can then be executed, leading to Remote Code Execution. This issue was fixed in 3.18.4.

Exploits (2)

exploitdb WORKING POC

by yahia · pythonwebappsmultiple

https://www.exploit-db.com/exploits/52553

View Code ZIP pw:eip

This exploit demonstrates an authenticated file upload vulnerability in Bludit CMS API plugin, allowing an attacker with a valid API token to upload a PHP webshell and achieve remote code execution. The exploit automates the process of retrieving a page key, uploading the shell, and executing commands.

Classification

Working Poc 100%

Attack Type

Rce

Complexity

Moderate

Reliability

Reliable

Target: Bludit CMS < 3.18.4

Auth required

Prerequisites: valid API token · API plugin enabled

MITRE ATT&CK

T1190 - Exploit Public-Facing Application T1059 - Command and Scripting Interpreter T1203 - Exploitation for Client Execution

devstral-2 · analyzed May 08, 2026 Full analysis →

nomisec WORKING POC

by yahiahamza · poc

https://github.com/yahiahamza/CVE-2026-25099

View Code ZIP pw:eip

This repository contains a functional exploit for CVE-2026-25099, demonstrating an unrestricted file upload vulnerability in Bludit CMS versions before 3.18.4. The exploit uploads a PHP webshell via the API endpoint and achieves remote code execution.

Classification

Working Poc 100%

Attack Type

Rce

Complexity

Moderate

Reliability

Reliable

Target: Bludit CMS < 3.18.4

Auth required

Prerequisites: Valid API token · API plugin enabled

MITRE ATT&CK

T1190 - Exploit Public-Facing Application T1059 - Command and Scripting Interpreter T1203 - Exploitation for Client Execution

devstral-2 · analyzed Apr 08, 2026 Full analysis →

References (2)

Core 2

Core References

Third Party Advisory third-party-advisory

https://cert.pl/posts/2026/03/CVE-2026-25099

Release Notes release-notes

https://github.com/bludit/bludit/releases/tag/3.18.4

Scores

CVSS v3 8.8

EPSS 0.0192

EPSS Percentile 77.2%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact total

Details

CWE

CWE-434

Status published

Products (2)

Bludit/Bludit < 3.18.4

bludit/bludit < 3.18.4

Published Mar 27, 2026

Tracked Since Mar 29, 2026