Moderate severityNVD Advisory· Published Mar 12, 2025· Updated Mar 19, 2025
CVE-2025-26260
CVE-2025-26260
Description
Plenti <= 0.7.16 is vulnerable to code execution. Users uploading '.svelte' files with the /postLocal endpoint can define the file name as javascript codes. The server executes the uploaded file name in host, and cause code execution.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
github.com/plentico/plentiGo | < 0.7.17 | 0.7.17 |
Affected products
3- Plenti/Plentidescription
- ghsa-coords2 versionspkg:golang/github.com/plentico/plentipkg:rpm/opensuse/govulncheck-vulndb&distro=openSUSE%20Tumbleweed
< 0.7.17+ 1 more
- (no CPE)range: < 0.7.17
- (no CPE)range: < 0.0.20250313T170021-1.1
Patches
Vulnerability mechanics
References
10- github.com/advisories/GHSA-mj4v-hp69-27x5ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2025-26260ghsaADVISORY
- ahmetakan.com/2025/02/14/cve-2025-26260ghsaWEB
- github.com/ahmetak4n/vulnerability-playground/tree/main/vulnerability-research/CVE-2025-26260ghsaWEB
- github.com/plentico/plenti/commit/c3e72a9ebbc2a03f4b0f3104becbfc25e390cb8eghsaWEB
- github.com/plentico/plenti/releases/tag/v0.7.17ghsaWEB
- github.com/plentico/plenti/security/advisories/GHSA-mj4v-hp69-27x5ghsaWEB
- pkg.go.dev/vuln/GO-2025-3454ghsaWEB
- pkg.go.dev/vuln/GO-2025-3515ghsaWEB
- ahmetakan.com/2025/02/14/cve-2025-26260/mitre
News mentions
0No linked articles in our index yet.