CVE-2026-25099

HIGH

Bludit’s API plugin allows an authenticated attacker with a valid API token to upload files of any type and extension without restriction, which can then be executed, leading to Remote Code Execution. This issue was fixed in 3.18.4.

CVSS v3.1 Score

8.8

HIGH

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Attack Vector

NETWORK

Complexity

LOW

Privileges

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality

HIGH

Integrity

HIGH

Availability

HIGH

Published: 3/27/2026Modified: 4/1/2026

Related Intelligence (0)

No articles currently reference this CVE.

References (2)

https://cert.pl/posts/2026/03/CVE-2026-25099Third Party Advisory https://github.com/bludit/bludit/releases/tag/3.18.4Release Notes