CVE-2025-26260
Published: 12 March 2025
Summary
CVE-2025-26260 is a high-severity Code Injection (CWE-94) vulnerability in Plenti Plenti. Its CVSS base score is 8.8 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 26.7% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and SI-10 (Information Input Validation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly addresses the core vulnerability by requiring validation of untrusted inputs like crafted filenames in .svelte file uploads to prevent JavaScript code injection and execution.
Mandates timely flaw remediation through patching, such as upgrading to Plenti v0.7.17, which officially fixes the code execution vulnerability.
Enforces access controls on the /postLocal endpoint to block unauthenticated uploads of malicious .svelte files, preventing the initial exploitation vector.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The vulnerability in Plenti's /postLocal endpoint allows remote attackers to achieve code execution by uploading .svelte files with filenames containing arbitrary JavaScript code that the server executes, enabling exploitation of public-facing applications and JavaScript command execution.
NVD Description
Plenti <= 0.7.16 is vulnerable to code execution. Users uploading '.svelte' files with the /postLocal endpoint can define the file name as javascript codes. The server executes the uploaded file name in host, and cause code execution.
Deeper analysisAI
CVE-2025-26260 is a code execution vulnerability affecting Plenti versions up to and including 0.7.16. The issue stems from the /postLocal endpoint, which allows users to upload .svelte files where the filename can be crafted to contain JavaScript code. The server executes this filename code directly on the host, leading to arbitrary code execution. The vulnerability carries a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H) and is classified under CWE-94 (Code Injection).
A remote, unauthenticated attacker can exploit this vulnerability by tricking a user into uploading a specially crafted .svelte file via the /postLocal endpoint. The user interaction requirement (UI:R) typically involves social engineering, such as phishing, to induce the upload. Successful exploitation grants the attacker high-impact control over confidentiality, integrity, and availability on the affected server through executed JavaScript code.
Official mitigations are detailed in Plenti's GitHub security advisories (GHSA-mj4v-hp69-27x5) and release notes for version 0.7.17, which patches the flaw. Security practitioners should upgrade to v0.7.17 or later. Further technical details, including a vulnerability playground, are available in the referenced GitHub repository and blog post.
Details
- CWE(s)