CVE-2026-25099

HIGH

Bludit’s API plugin allows an authenticated attacker with a valid API token to upload files of any type and extension without restriction, which can then be executed, leading to Remote Code Execution. This issue was fixed in 3.18.4.

CVSS v3.1 Score

8.8
HIGH
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Attack Vector
NETWORK
Complexity
LOW
Privileges
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality
HIGH
Integrity
HIGH
Availability
HIGH
Published: 3/27/2026Modified: 4/1/2026

Related Intelligence (1)

HIGHVulnerability

NVD HIGH: CVE-2026-25099 — Bludit’s API plugin allows an authenticated attacker with a valid API token to u...

Bludit’s API plugin allows an authenticated attacker with a valid API token to upload files of any type and extension without restriction, which can then be executed, leading to Remote Code Execution. This issue was fixed in 3.18.4.

CVE-2026-25099
NIST NVD

References (2)

https://cert.pl/posts/2026/03/CVE-2026-25099Third Party Advisoryhttps://github.com/bludit/bludit/releases/tag/3.18.4Release Notes