cbcvebase.
CVE-2026-25099
published 2026-03-27

CVE-2026-25099: Bludit’s API plugin allows an authenticated attacker with a valid API token to upload files of any type and extension without restriction, which can then be…

PriorityP272high8.8CVSS 3.1
AVNACLPRLUINSUCHIHAH
EXPLOIT
EPSS
1.92%
77.3th percentile
Bludit’s API plugin allows an authenticated attacker with a valid API token to upload files of any type and extension without restriction, which can then be executed, leading to Remote Code Execution. This issue was fixed in 3.18.4.

Affected

1 ranges
VendorProductVersion rangeFixed in
bluditbludit< 3.18.43.18.4

Detection & IOCsextracted from sources · hover to see the quote

url/api/pages
url/api/files/{page_key}
path/bl-content/uploads/pages/{page_key}/{shell_name}
filename[random 8 lowercase chars].php
commandsystem($_REQUEST["cmd"])
  • Monitor for POST requests to the Bludit API file upload endpoint /api/files/<page_key> with a Content-Type of application/x-php or files with a .php extension — this is the direct upload vector for the webshell.
  • Alert on any HTTP GET requests to /bl-content/uploads/pages/ paths that include a ?cmd= query parameter, indicating webshell execution attempts.
  • Detect PHP files dropped under the /bl-content/uploads/pages/ directory tree — legitimate Bludit uploads should not include executable .php files in this location.
  • Flag web server processes (e.g., www-data/apache2/php-fpm) spawning child processes such as id, whoami, or shells — the exploit verifies RCE by running 'id' as the first command.
  • ·Exploitation requires a valid API token; the token is only available when the API plugin is explicitly activated. Instances with the API plugin disabled are not directly exposed, but token leakage via logs or misconfiguration can still enable attacks.
  • ·The exploit targets Bludit versions prior to 3.18.4; upgrading to 3.18.4 or later remediates the unrestricted upload vulnerability.
  • ·The exploit PoC zip link points to version 3.18.2, confirming the vulnerable range includes at least 3.18.2 and earlier builds where the API plugin's uploadFile() lacks validation.

CVSS provenance

nvdv3.18.8HIGHCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
nvdv4.08.7HIGHCVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:L/SI:L/SA:L/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.