CVE-2026-25099
Published: 27 March 2026
Summary
CVE-2026-25099 is a high-severity Unrestricted Upload of File with Dangerous Type (CWE-434) vulnerability in Bludit Bludit. Its CVSS base score is 8.7 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 22.8% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and SI-10 (Information Input Validation).
Deeper analysis
Bludit’s API plugin is affected by an unrestricted file upload vulnerability tracked as CVE-2026-25099. An authenticated user possessing a valid API token can upload files with arbitrary extensions and content types that are subsequently stored on the server and can be executed, resulting in remote code execution. The flaw is classified under CWE-434 and carries a CVSS 4.0 score of 8.7. It was addressed in Bludit version 3.18.4.
An attacker who obtains a legitimate API token can exploit the issue over the network without user interaction to place and run malicious files, achieving full control over the affected Bludit instance including the ability to modify, exfiltrate, or disrupt data and services.
The official fix is available in the 3.18.4 release notes on GitHub, and further details are provided in the CERT.pl advisory at the referenced URL. Operators should upgrade promptly and review API token issuance practices.
EPSS for the CVE rose from a low baseline to a peak of 0.0142 before settling at the current value of 0.0053, indicating emerging exploitation interest after disclosure.
OWASP Top 10 for Web (2025)
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-16577
- 🇵🇱 CERT-PL: cert.pl
Vulnerability details
Bludit’s API plugin allows an authenticated attacker with a valid API token to upload files of any type and extension without restriction, which can then be executed, leading to Remote Code Execution. This issue was fixed in 3.18.4.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
CVE enables exploitation of public-facing CMS API (T1190) through unrestricted file uploads, directly facilitating web shell deployment and RCE (T1100).
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly enforces validation of file types and extensions on API uploads, blocking the arbitrary executable content that enables RCE in this CVE.
Enforces authorization rules on the API plugin so that even a valid token cannot perform unrestricted file uploads leading to code execution.
Restricts the system to essential capabilities only, disabling or limiting the unrestricted file-upload functionality exploited by the API token.