High severity8.8NVD Advisory· Published Mar 27, 2026· Updated Apr 1, 2026

CVE-2026-25099

Description

Bludit’s API plugin allows an authenticated attacker with a valid API token to upload files of any type and extension without restriction, which can then be executed, leading to Remote Code Execution.

This issue was fixed in 3.18.4.

Affected products

Bludit/Bludit
cpe:2.3:a:bludit:bludit:*:*:*:*:*:*:*:*
Range: <3.18.4

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

cert.pl/posts/2026/03/CVE-2026-25099nvdThird Party Advisory
github.com/bludit/bludit/releases/tag/3.18.4nvdRelease Notes

News mentions

No linked articles in our index yet.

cvss	0.572
epss	0.001
exploit	0.030
kev	0.000
patch	0.000
ransomware	0.000