VYPR
← All advisories
Unrated severityNVD Advisory· Published Jun 15, 2026· Updated Jun 15, 2026

CVE-2026-50869

CVE-2026-50869

Description

Bludit 3.19.0 API upload endpoint allows authenticated administrators to write files outside the intended directory via path traversal in the multipart filename, potentially leading to code execution.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Bludit 3.19.0 API upload endpoint allows authenticated administrators to write files outside the intended directory via path traversal in the multipart filename, potentially leading to code execution.

Vulnerability

Bludit 3.19.0 includes an API upload endpoint in bl-plugins/api/plugin.php::uploadFile() that reads the client-supplied multipart filename from $_FILES['file']['name'] into $filename and constructs the destination path as PATH_UPLOADS_PAGES . $pageKey . DS . $filename. The handler blocks a small set of direct script extensions but does not normalize path components or reject .. segments before the filesystem write. This allows a crafted filename containing directory traversal sequences to write files outside the intended page upload directory [1].

Exploitation

An attacker must first authenticate to Bludit 3.19.0 as an administrator and obtain the required API token and administrator authentication token. With these credentials, the attacker chooses a valid page key and sends a multipart upload request to the page file upload API with the file part filename set to a traversal string such as ../../../../.htaccess or ../../../../.user.ini. The uploaded file body can contain arbitrary content. The API returns a success response (status 0, message File uploaded.) and the file is written to the traversed path outside the intended upload directory [1].

Impact

The immediate impact is an authenticated administrator-controlled file write outside the intended upload directory. On deployments where the written dotfile (e.g., .htaccess, .user.ini) is interpreted by the web server or PHP runtime, the write can alter request handling and potentially lead to PHP code execution. In other cases, the confirmed impact is filesystem integrity loss due to arbitrary file creation [1].

Mitigation

As of the publication date (2026-06-15), no official fix has been released for Bludit 3.19.0. Administrators should consider disabling the API plugin if not required, or restrict access to the API endpoint via web server configuration (e.g., IP whitelisting, authentication enforcement). Users should monitor for future updates from the Bludit project [1].

References
  1. Reference for CVE-2026-50869

AI Insight generated on Jun 15, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

2
  • Bludit/Bluditinferred2 versions
    =3.19.0+ 1 more
    • (no CPE)range: =3.19.0
    • (no CPE)range: =3.19.0

Patches

0

No patches discovered yet.

Vulnerability mechanics

Root cause

"Missing path normalization in the API upload handler allows client-supplied filename components to traverse outside the intended directory."

Attack vector

An authenticated administrator sends a multipart HTTP upload to the page file upload API with a crafted filename containing path traversal sequences such as `../../../../.htaccess`. The server does not sanitize the filename before appending it to the destination path, so the uploaded file is written outside the intended page upload directory [ref_id=1]. The attacker must first authenticate and obtain both the API token and the administrator authentication token.

Affected code

The vulnerable code is in `bl-plugins/api/plugin.php::uploadFile()`. The function reads `$_FILES['file']['name']` into `$filename` and builds the destination path as `PATH_UPLOADS_PAGES . $pageKey . DS . $filename` without normalizing path components or rejecting `..` segments, allowing directory traversal.

What the fix does

The advisory does not provide a patch. To remediate, the application must normalize the client-supplied filename by rejecting path components such as `..` and `/` before constructing the destination path, ensuring the file is confined to the intended page upload directory [ref_id=1].

Preconditions

  • authAttacker must be an authenticated administrator with a valid API token and administrator authentication token.
  • inputAttacker must send a crafted multipart upload request with a filename containing path traversal sequences.

Reproduction

Authenticate to Bludit 3.19.0 as an administrator and obtain the API token plus the administrator authentication token required by the API upload flow. Choose a valid page key and send a multipart upload to the page file upload API with the file part filename set to `../../../../.htaccess` or `../../../../.user.ini`. Put a harmless marker or deployment-specific webserver/PHP directive in the uploaded file body. Observe the JSON response reporting success, such as status equal to 0, message equal to File uploaded., and filename reflecting the traversal value. Confirm that the marker file was written outside the page upload directory, or trigger the changed webserver/PHP behavior on a deployment that honors the written configuration file.

Generated on Jun 15, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

1

News mentions

0

No linked articles in our index yet.