CVE-2026-25099

Published: Mar 27, 2026 Last Modified: Mar 27, 2026

ExploitDB:

Other exploit source:

Google Dorks:

HIGH 8,7

Source: [email protected]

Attack Vector: network

Attack Complexity: low

Privileges Required: low

User Interaction: none

Confidentiality: N/A

Integrity: N/A

Availability: N/A

Description

AI Translation Available

Bludit’s API plugin allows an authenticated attacker with a valid API token to upload files of any type and extension without restriction, which can then be executed, leading to Remote Code Execution.

This issue was fixed in 3.18.4.

EPSS (Exploit Prediction Scoring System)

Trend Analysis

EPSS (Exploit Prediction Scoring System)

Prevede la probabilità di sfruttamento basata su intelligence sulle minacce e sulle caratteristiche della vulnerabilità.

EPSS Score

0,0041

Percentile

0,6th

Updated

EPSS Score Trend (Last 2 Days)

434

Unrestricted Upload of File with Dangerous Type

Draft

Abstraction: Base Structure: Simple

Common Consequences

Security Scopes Affected:

Integrity Confidentiality Availability

Potential Impacts:

Execute Unauthorized Code Or Commands

Applicable Platforms

Languages: ASP.NET, Not Language-Specific, PHP

Technologies: Web Server

Likelihood of Exploit: Medium

View CWE Details

https://cert.pl/posts/2026/03/CVE-2026-25099

https://github.com/bludit/bludit/releases/tag/3.18.4

CVE-2026-25099

Description

EPSS (Exploit Prediction Scoring System)

EPSS (Exploit Prediction Scoring System)

EPSS Score Trend (Last 2 Days)

Unrestricted Upload of File with Dangerous Type

Common Consequences

Applicable Platforms

Iscriviti alla newsletter