Cyber Resilience

CVE-2026-25099

High

Published: 27 March 2026

Published
27 March 2026
Modified
01 April 2026
KEV Added
Patch
CVSS Score v4 8.7 CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:L/SI:L/SA:L/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0192 77.2th percentile
Risk Priority 55 floored blend · peak EPSS

Summary

CVE-2026-25099 is a high-severity Unrestricted Upload of File with Dangerous Type (CWE-434) vulnerability in Bludit Bludit. Its CVSS base score is 8.7 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 22.8% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and SI-10 (Information Input Validation).

Deeper analysis

Bludit’s API plugin is affected by an unrestricted file upload vulnerability tracked as CVE-2026-25099. An authenticated user possessing a valid API token can upload files with arbitrary extensions and content types that are subsequently stored on the server and can be executed, resulting in remote code execution. The flaw is classified under CWE-434 and carries a CVSS 4.0 score of 8.7. It was addressed in Bludit version 3.18.4.

An attacker who obtains a legitimate API token can exploit the issue over the network without user interaction to place and run malicious files, achieving full control over the affected Bludit instance including the ability to modify, exfiltrate, or disrupt data and services.

The official fix is available in the 3.18.4 release notes on GitHub, and further details are provided in the CERT.pl advisory at the referenced URL. Operators should upgrade promptly and review API token issuance practices.

EPSS for the CVE rose from a low baseline to a peak of 0.0142 before settling at the current value of 0.0053, indicating emerging exploitation interest after disclosure.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

Bludit’s API plugin allows an authenticated attacker with a valid API token to upload files of any type and extension without restriction, which can then be executed, leading to Remote Code Execution. This issue was fixed in 3.18.4.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1505.003 Web Shell Persistence
Adversaries may backdoor web servers with web shells to establish persistent access to systems.
Why these techniques?

CVE enables exploitation of public-facing CMS API (T1190) through unrestricted file uploads, directly facilitating web shell deployment and RCE (T1100).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-25101Same product: Bludit Bludit
CVE-2025-22654Shared CWE-434
CVE-2025-11948Shared CWE-434
CVE-2025-67260Shared CWE-434
CVE-2025-28915Shared CWE-434
CVE-2023-53956Shared CWE-434
CVE-2025-6058Shared CWE-434
CVE-2021-47819Shared CWE-434
CVE-2025-7852Shared CWE-434
CVE-2026-4883Shared CWE-434

Affected Assets

bludit
bludit
≤ 3.18.4

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly enforces validation of file types and extensions on API uploads, blocking the arbitrary executable content that enables RCE in this CVE.

prevent

Enforces authorization rules on the API plugin so that even a valid token cannot perform unrestricted file uploads leading to code execution.

prevent

Restricts the system to essential capabilities only, disabling or limiting the unrestricted file-upload functionality exploited by the API token.

References