Unrated severityNVD Advisory· Published Jun 15, 2026· Updated Jun 15, 2026

CVE-2026-38329

Description

Bludit CMS before 3.18.4 allows remote code execution via the API Plugin's POST /api/files endpoint due to missing authorization and file extension validation.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Bludit CMS before 3.18.4 allows remote code execution via the API Plugin's POST /api/files endpoint due to missing authorization and file extension validation.

Vulnerability

The vulnerability resides in the bl-plugins/api/plugin.php file of Bludit CMS. The POST /api/files/{key} endpoint does not perform any authorization checks, unlike other write endpoints, and lacks file extension validation. An attacker with a valid API token (even a read-only token) can upload arbitrary files, including PHP scripts. Affected versions are Bludit CMS before 3.18.4. [1]

Exploitation

An attacker needs a valid API token, which can be obtained or compromised. They then craft a malicious PHP file (e.g., a web shell) and upload it using a simple curl command targeting POST /api/files/some-page with the file and token. The server saves the uploaded file to the uploads directory without any filtering. The attacker can then access the uploaded file via the web server and execute arbitrary PHP code by sending HTTP requests with command parameters. [1]

Impact

Successful exploitation results in remote code execution on the server with the privileges of the web server user. This allows the attacker to fully compromise the CMS, access or modify sensitive data, and potentially pivot to other systems on the network. [1]

Mitigation

Upgrade to Bludit version 3.18.4 or later, which includes the necessary authorization checks and file extension validation for the POST /api/files endpoint. No workaround is documented; applying the update is the only guaranteed fix. If upgrade is not immediately possible, consider disabling the API plugin or restricting network access to the endpoint. [1]

References

CVE-2026-38329

AI Insight generated on Jun 15, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

Bludit/Bluditinferred2 versions
<3.18.4+ 1 more
- (no CPE)range: <3.18.4
- (no CPE)range: <3.18.4

Patches

fea1a5a777fc

chore: bump version

https://github.com/bludit/bluditdignajarMar 17, 2026Fixed in 3.18.4via release-tag

commit

32 files changed · +25392 −90

bl-kernel/boot/init.php+3 −3 modified

@@ -1,10 +1,10 @@
 <?php defined('BLUDIT') or die('Bludit CMS.');
 
 // Bludit version
-define('BLUDIT_VERSION',        '3.18.3');
+define('BLUDIT_VERSION',        '3.18.4');
 define('BLUDIT_CODENAME',       'Lince');
-define('BLUDIT_RELEASE_DATE',   '2026-03-14');
-define('BLUDIT_BUILD',          '20260314');
+define('BLUDIT_RELEASE_DATE',   '2026-03-17');
+define('BLUDIT_BUILD',          '20260317');
 
 // Change to TRUE for debugging
 define('DEBUG_MODE', TRUE);

bl-languages/it_IT.json+1 −1 modified

@@ -2,7 +2,7 @@
     "language-data": {
         "native": "Italiano (Italia)",
         "english-name": "Italian",
-        "last-update": "2026-03-14",
+        "last-update": "2026-03-17",
         "authors": [
             "Daniele La Pira https://github.com/danielelapira",
             "Giuseppe Pignataro https://github.com/fastbyte01",

bl-plugins/about/metadata.json+3 −3 modified

@@ -2,9 +2,9 @@
 	"author": "Bludit",
 	"email": "",
 	"website": "https://plugins.bludit.com",
-	"version": "3.18.3",
-	"releaseDate": "2026-03-14",
+	"version": "3.18.4",
+	"releaseDate": "2026-03-17",
 	"license": "MIT",
-	"compatible": "3.18.3",
+	"compatible": "3.18",
 	"notes": ""
 }

bl-plugins/alternative/metadata.json+3 −3 modified

@@ -2,10 +2,10 @@
 	"author": "Bludit",
 	"email": "",
 	"website": "https://plugins.bludit.com",
-	"version": "3.18.3",
-	"releaseDate": "2026-03-14",
+	"version": "3.18.4",
+	"releaseDate": "2026-03-17",
 	"license": "MIT",
-	"compatible": "3.18.3",
+	"compatible": "3.18",
 	"notes": "",
 	"type": "theme"
 }

bl-plugins/api/metadata.json+3 −3 modified

@@ -2,9 +2,9 @@
 	"author": "Bludit",
 	"email": "",
 	"website": "https://plugins.bludit.com",
-	"version": "3.18.3",
-	"releaseDate": "2026-03-14",
+	"version": "3.18.4",
+	"releaseDate": "2026-03-17",
 	"license": "MIT",
-	"compatible": "3.18.3",
+	"compatible": "3.18",
 	"notes": ""
 }

bl-plugins/canonical/metadata.json+3 −3 modified

@@ -2,9 +2,9 @@
 	"author": "Bludit",
 	"email": "",
 	"website": "https://plugins.bludit.com",
-	"version": "3.18.3",
-	"releaseDate": "2026-03-14",
+	"version": "3.18.4",
+	"releaseDate": "2026-03-17",
 	"license": "MIT",
-	"compatible": "3.18.3",
+	"compatible": "3.18",
 	"notes": ""
 }

bl-plugins/categories/metadata.json+3 −3 modified

@@ -2,9 +2,9 @@
 	"author": "Bludit",
 	"email": "",
 	"website": "https://plugins.bludit.com",
-	"version": "3.18.3",
-	"releaseDate": "2026-03-14",
+	"version": "3.18.4",
+	"releaseDate": "2026-03-17",
 	"license": "MIT",
-	"compatible": "3.18.3",
+	"compatible": "3.18",
 	"notes": ""
 }

bl-plugins/custom-fields-parser/metadata.json+3 −3 modified

@@ -2,9 +2,9 @@
 	"author": "Bludit",
 	"email": "",
 	"website": "https://plugins.bludit.com",
-	"version": "3.18.3",
-	"releaseDate": "2026-03-14",
+	"version": "3.18.4",
+	"releaseDate": "2026-03-17",
 	"license": "MIT",
-	"compatible": "3.18.3",
+	"compatible": "3.18",
 	"notes": ""
 }

bl-plugins/disqus/metadata.json+3 −3 modified

@@ -2,9 +2,9 @@
 	"author": "Bludit",
 	"email": "",
 	"website": "https://plugins.bludit.com",
-	"version": "3.18.3",
-	"releaseDate": "2026-03-14",
+	"version": "3.18.4",
+	"releaseDate": "2026-03-17",
 	"license": "MIT",
-	"compatible": "3.18.3",
+	"compatible": "3.18",
 	"notes": ""
 }

bl-plugins/easymde/metadata.json+1 −1 modified

@@ -5,6 +5,6 @@
 	"version": "2.18.0",
 	"releaseDate": "2022-09-20",
 	"license": "MIT",
-	"compatible": "3.18.3",
+	"compatible": "3.18",
 	"notes": ""
 }

bl-plugins/hit-counter/metadata.json+3 −3 modified

@@ -2,9 +2,9 @@
 	"author": "Bludit",
 	"email": "",
 	"website": "https://plugins.bludit.com",
-	"version": "3.18.3",
-	"releaseDate": "2026-03-14",
+	"version": "3.18.4",
+	"releaseDate": "2026-03-17",
 	"license": "MIT",
-	"compatible": "3.18.3",
+	"compatible": "3.18",
 	"notes": ""
 }

bl-plugins/html-code/metadata.json+3 −3 modified

@@ -2,9 +2,9 @@
 	"author": "Bludit",
 	"email": "",
 	"website": "https://plugins.bludit.com",
-	"version": "3.18.3",
-	"releaseDate": "2026-03-14",
+	"version": "3.18.4",
+	"releaseDate": "2026-03-17",
 	"license": "MIT",
-	"compatible": "3.18.3",
+	"compatible": "3.18",
 	"notes": ""
 }

bl-plugins/links/metadata.json+3 −3 modified

@@ -2,9 +2,9 @@
 	"author": "Bludit",
 	"email": "",
 	"website": "https://plugins.bludit.com",
-	"version": "3.18.3",
-	"releaseDate": "2026-03-14",
+	"version": "3.18.4",
+	"releaseDate": "2026-03-17",
 	"license": "MIT",
-	"compatible": "3.18.3",
+	"compatible": "3.18",
 	"notes": ""
 }

bl-plugins/maintenance-mode/metadata.json+3 −3 modified

@@ -2,9 +2,9 @@
 	"author": "Bludit",
 	"email": "",
 	"website": "https://plugins.bludit.com",
-	"version": "3.18.3",
-	"releaseDate": "2026-03-14",
+	"version": "3.18.4",
+	"releaseDate": "2026-03-17",
 	"license": "MIT",
-	"compatible": "3.18.3",
+	"compatible": "3.18",
 	"notes": ""
 }

bl-plugins/navigation/metadata.json+3 −3 modified

@@ -2,9 +2,9 @@
 	"author": "Bludit",
 	"email": "",
 	"website": "https://plugins.bludit.com",
-	"version": "3.18.3",
-	"releaseDate": "2026-03-14",
+	"version": "3.18.4",
+	"releaseDate": "2026-03-17",
 	"license": "MIT",
-	"compatible": "3.18.3",
+	"compatible": "3.18",
 	"notes": ""
 }

bl-plugins/opengraph/metadata.json+3 −3 modified

@@ -2,9 +2,9 @@
 	"author": "Bludit",
 	"email": "",
 	"website": "https://plugins.bludit.com",
-	"version": "3.18.3",
-	"releaseDate": "2026-03-14",
+	"version": "3.18.4",
+	"releaseDate": "2026-03-17",
 	"license": "MIT",
-	"compatible": "3.18.3",
+	"compatible": "3.18",
 	"notes": ""
 }

bl-plugins/popeye/metadata.json+3 −3 modified

@@ -2,10 +2,10 @@
   "author": "Bludit",
   "email": "",
   "website": "https://plugins.bludit.com",
-  "version": "3.18.3",
-  "releaseDate": "2026-03-14",
+  "version": "3.18.4",
+  "releaseDate": "2026-03-17",
   "license": "MIT",
-  "compatible": "3.18.3",
+  "compatible": "3.18",
   "notes": "",
   "type": "theme"
 }

bl-plugins/remote-content/metadata.json+3 −3 modified

@@ -2,9 +2,9 @@
 	"author": "Bludit",
 	"email": "",
 	"website": "https://plugins.bludit.com/plugin/remote-content",
-	"version": "3.18.3",
-	"releaseDate": "2026-03-14",
+	"version": "3.18.4",
+	"releaseDate": "2026-03-17",
 	"license": "MIT",
-	"compatible": "3.18.3",
+	"compatible": "3.18",
 	"notes": ""
 }

bl-plugins/robots/metadata.json+3 −3 modified

@@ -2,9 +2,9 @@
 	"author": "Bludit",
 	"email": "",
 	"website": "https://plugins.bludit.com",
-	"version": "3.18.3",
-	"releaseDate": "2026-03-14",
+	"version": "3.18.4",
+	"releaseDate": "2026-03-17",
 	"license": "MIT",
-	"compatible": "3.18.3",
+	"compatible": "3.18",
 	"notes": ""
 }

bl-plugins/rss/metadata.json+3 −3 modified

@@ -2,9 +2,9 @@
 	"author": "Bludit",
 	"email": "",
 	"website": "https://plugins.bludit.com",
-	"version": "3.18.3",
-	"releaseDate": "2026-03-14",
+	"version": "3.18.4",
+	"releaseDate": "2026-03-17",
 	"license": "MIT",
-	"compatible": "3.18.3",
+	"compatible": "3.18",
 	"notes": ""
 }

bl-plugins/search/metadata.json+3 −3 modified

@@ -2,9 +2,9 @@
 	"author": "Bludit",
 	"email": "",
 	"website": "https://plugins.bludit.com",
-	"version": "3.18.3",
-	"releaseDate": "2026-03-14",
+	"version": "3.18.4",
+	"releaseDate": "2026-03-17",
 	"license": "MIT",
-	"compatible": "3.18.3",
+	"compatible": "3.18",
 	"notes": ""
 }

bl-plugins/simple-stats/metadata.json+3 −3 modified

@@ -2,9 +2,9 @@
 	"author": "Bludit",
 	"email": "",
 	"website": "https://plugins.bludit.com",
-	"version": "3.18.3",
-	"releaseDate": "2026-03-14",
+	"version": "3.18.4",
+	"releaseDate": "2026-03-17",
 	"license": "MIT",
-	"compatible": "3.18.3",
+	"compatible": "3.18",
 	"notes": ""
 }

bl-plugins/sitemap/metadata.json+3 −3 modified

@@ -2,9 +2,9 @@
 	"author": "Bludit",
 	"email": "",
 	"website": "https://plugins.bludit.com",
-	"version": "3.18.3",
-	"releaseDate": "2026-03-14",
+	"version": "3.18.4",
+	"releaseDate": "2026-03-17",
 	"license": "MIT",
-	"compatible": "3.18.3",
+	"compatible": "3.18",
 	"notes": ""
 }

bl-plugins/static-pages/metadata.json+3 −3 modified

@@ -2,9 +2,9 @@
 	"author": "Bludit",
 	"email": "",
 	"website": "https://plugins.bludit.com",
-	"version": "3.18.3",
-	"releaseDate": "2026-03-14",
+	"version": "3.18.4",
+	"releaseDate": "2026-03-17",
 	"license": "MIT",
-	"compatible": "3.18.3",
+	"compatible": "3.18",
 	"notes": ""
 }

bl-plugins/tags/metadata.json+3 −3 modified

@@ -2,9 +2,9 @@
 	"author": "Bludit",
 	"email": "",
 	"website": "https://plugins.bludit.com",
-	"version": "3.18.3",
-	"releaseDate": "2026-03-14",
+	"version": "3.18.4",
+	"releaseDate": "2026-03-17",
 	"license": "MIT",
-	"compatible": "3.18.3",
+	"compatible": "3.18",
 	"notes": ""
 }

bl-plugins/tinymce/tinymce/themes/silver/theme.min.js+25303 −1 modified

bl-plugins/twitter-cards/metadata.json+3 −3 modified

@@ -2,9 +2,9 @@
 	"author": "Bludit",
 	"email": "",
 	"website": "https://plugins.bludit.com",
-	"version": "3.18.3",
-	"releaseDate": "2026-03-14",
+	"version": "3.18.4",
+	"releaseDate": "2026-03-17",
 	"license": "MIT",
-	"compatible": "3.18.3",
+	"compatible": "3.18",
 	"notes": ""
 }

bl-plugins/version/metadata.json+3 −3 modified

@@ -2,9 +2,9 @@
 	"author": "Bludit",
 	"email": "",
 	"website": "https://plugins.bludit.com",
-	"version": "3.18.3",
-	"releaseDate": "2026-03-14",
+	"version": "3.18.4",
+	"releaseDate": "2026-03-17",
 	"license": "MIT",
-	"compatible": "3.18.3",
+	"compatible": "3.18",
 	"notes": ""
 }

bl-plugins/visits-stats/metadata.json+3 −3 modified

@@ -2,9 +2,9 @@
 	"author": "Bludit",
 	"email": "",
 	"website": "https://plugins.bludit.com",
-	"version": "3.18.3",
-	"releaseDate": "2026-03-14",
+	"version": "3.18.4",
+	"releaseDate": "2026-03-17",
 	"license": "MIT",
-	"compatible": "3.18.3",
+	"compatible": "3.18",
 	"notes": ""
 }

bl-themes/alternative/metadata.json+3 −3 modified

@@ -2,10 +2,10 @@
 	"author": "Bludit",
 	"email": "",
 	"website": "https://themes.bludit.com",
-	"version": "3.18.3",
-	"releaseDate": "2025-09-01",
+	"version": "3.18.4",
+	"releaseDate": "2026-03-17",
 	"license": "MIT",
-	"compatible": "3.15",
+	"compatible": "3.18",
 	"notes": "Improved accessibility, SEO with Schema.org, responsive design, and performance",
 	"plugin": "alternative"
 }

bl-themes/blogx/metadata.json+3 −3 modified

@@ -2,9 +2,9 @@
 	"author": "Bludit",
 	"email": "",
 	"website": "https://themes.bludit.com",
-	"version": "3.18.3",
-	"releaseDate": "2026-03-14",
+	"version": "3.18.4",
+	"releaseDate": "2026-03-17",
 	"license": "MIT",
-	"compatible": "3.18.3",
+	"compatible": "3.18",
 	"notes": ""
 }

bl-themes/popeye/metadata.json+3 −3 modified

@@ -2,10 +2,10 @@
 	"author": "Bludit",
 	"email": "",
 	"website": "https://themes.bludit.com",
-	"version": "3.18.3",
-	"releaseDate": "2026-03-14",
+	"version": "3.18.4",
+	"releaseDate": "2026-03-17",
 	"license": "MIT",
-	"compatible": "3.0",
+	"compatible": "3.18",
 	"notes": "",
 	"plugin": "popeye"
 }

Vulnerability mechanics

Root cause

"Missing authorization check and absent file-extension validation in the API Plugin's file upload endpoint allow arbitrary PHP file upload."

Attack vector

An attacker who possesses a valid API token (even a read-only token) can send a `POST /api/files/{key}` request with a `.php` file attached. Because the endpoint lacks an authorization check and performs no file-extension filtering, the server writes the uploaded PHP script into the uploads directory. The attacker then accesses that script directly via the web server, achieving remote code execution [CWE-862, CWE-434, ref_id=1].

Affected code

The vulnerability resides in `bl-plugins/api/plugin.php`. The `POST /api/files/{key}` endpoint around line 203 omits the `$writePermissions` check that all other write endpoints enforce, and the `uploadFile()` function around line 749 accepts the filename as-is without extension validation or sanitization [ref_id=1].

What the fix does

The patch [patch_id=6110800] only bumps the version number in several `metadata.json` files from 3.18.3 to 3.18.4 and updates compatibility strings. No source-code changes to `bl-plugins/api/plugin.php` are included in the diff, so the advisory does not show how the authorization check or file-extension validation was corrected. The advisory states that the fix is present in version 3.18.4 but the patch file does not reveal the actual code changes.

Preconditions

configThe API Plugin must be enabled on the target Bludit instance.
authThe attacker must possess a valid API token (any permission level, including read-only).
networkThe attacker must be able to reach the `/api/files/{key}` HTTP endpoint over the network.
inputThe attacker must be able to upload a file (e.g., via a multipart POST request).

Generated on Jun 15, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

gist.github.com/Ki1ro0133/8bd14bd4fc6fab81c907d838a7aeee55nvd

News mentions

No linked articles in our index yet.

cvss	0.000
epss	0.000
exploit	0.000
kev	0.000
patch	-0.070
ransomware	0.000