CVE-2026-25099

Source
https://cve.org/CVERecord?id=CVE-2026-25099
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-25099.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2026-25099
Published
2026-03-27T11:55:23.168Z
Modified
2026-07-15T01:49:01.605912273Z
Severity
  • 8.7 (High) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:L/SI:L/SA:L CVSS Calculator
Summary
Remote Code Execution via Unrestricted File Upload in Bludit
Details

Bludit’s API plugin allows an authenticated attacker with a valid API token to upload files of any type and extension without restriction, which can then be executed, leading to Remote Code Execution.

This issue was fixed in 3.18.4.

Database specific
{
    "cwe_ids": [
        "CWE-434"
    ],
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/25xxx/CVE-2026-25099.json",
    "cna_assigner": "CERT-PL"
}
References

Affected packages

Git / github.com/bludit/bludit

Affected ranges

Type
GIT
Repo
https://github.com/bludit/bludit
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Fixed
Database specific
{
    "cpe": "cpe:2.3:a:bludit:bludit:*:*:*:*:*:*:*:*",
    "extracted_events": [
        {
            "introduced": "0"
        },
        {
            "fixed": "3.18.4"
        }
    ],
    "source": [
        "AFFECTED_FIELD",
        "CPE_RANGE",
        "REFERENCES"
    ]
}

Affected versions

3.*
3.17.2
3.18.0
3.18.1
3.18.2

Database specific

source
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-25099.json"