CVE-2026-25099
HIGH WAF: Medium
CVSS 8.8
Published: 2026-03-27
CWE-434
Bludit’s API plugin allows an authenticated attacker with a valid API token to upload files of any type and extension without restriction, which can then be executed, leading to Remote Code Execution. This issue was fixed in 3.18.4.
WAF Coverage Analysis
Unrestricted File Upload
Medium WAF Coverage
OWASP: A04:2021 Insecure Design
930xxx - Local File Inclusion
Affected Software
| Vendor | Product | Version |
|---|---|---|
| bludit | bludit | up to 3.18.4 |
References
- cert.pl (Third Party Advisory)
- github.com (Release Notes)