Description
Bludit CMS before version 3.18.4 allows Remote Code Execution (RCE) via the API Plugin. The POST /api/files/{key} endpoint in bl-plugins/api/plugin.php fails to perform authorization checks and lacks file extension validation. An attacker with a valid API token can upload a malicious PHP script and execute arbitrary code on the server.
Published: 2026-06-15
Score: 9.8 Critical
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The flaw resides in Bludit CMS’s API Plugin. The POST /api/files/{key} endpoint does not enforce proper authorization and accepts uploads without validating file extensions. An attacker who has a valid API token can upload a malicious PHP script through this endpoint and then trigger its execution, granting full code execution privileges on the server. The issue is classified as Missing Authorization (CWE-862).

Affected Systems

Bludit CMS versions prior to 3.18.4 that have the API Plugin enabled. The vulnerability is exploitable only when the target has a valid API token that the attacker can obtain or guess, and the API Plugin must be operational.

Risk and Exploitability

The CVSS score of 9.8 indicates critical severity, while the EPSS score of <1% implies a very low probability of exploitation at present. The vulnerability is not listed in the CISA KEV catalog, suggesting no known active exploits. An attacker requires a legitimate API token, then can upload a PHP file to /api/files/{key} and execute it by accessing the uploaded file, resulting in complete compromise of the affected system.

Generated by OpenCVE AI on June 18, 2026 at 01:40 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update Bludit CMS to version 3.18.4 or later.
  • If the API Plugin is unnecessary, disable it entirely.
  • Restrict API token usage and limit endpoints to secure file types or enforce file extension validation via a firewall or WAF.

Generated by OpenCVE AI on June 18, 2026 at 01:40 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 26 Jun 2026 10:45:00 +0000

Type Values Removed Values Added
First Time appeared Bludit
Bludit bludit Cms
Vendors & Products Bludit
Bludit bludit Cms

Thu, 18 Jun 2026 04:45:00 +0000

Type Values Removed Values Added
Title Bludit CMS API Plugin Remote Code Execution via Unsanitized File Upload

Wed, 17 Jun 2026 05:15:00 +0000

Type Values Removed Values Added
Title Bludit CMS API Plugin Remote Code Execution via Unsanitized File Upload

Tue, 16 Jun 2026 14:30:00 +0000

Type Values Removed Values Added
Weaknesses CWE-862
Metrics cvssV3_1

{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}

ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'total'}, 'version': '2.0.3'}


Mon, 15 Jun 2026 19:30:00 +0000

Type Values Removed Values Added
Description Bludit CMS before version 3.18.4 allows Remote Code Execution (RCE) via the API Plugin. The POST /api/files/{key} endpoint in bl-plugins/api/plugin.php fails to perform authorization checks and lacks file extension validation. An attacker with a valid API token can upload a malicious PHP script and execute arbitrary code on the server.
References

Subscriptions

Bludit Bludit Cms
cve-icon MITRE

Status: PUBLISHED

Assigner: mitre

Published:

Updated: 2026-06-16T13:43:20.386Z

Reserved: 2026-04-06T00:00:00.000Z

Link: CVE-2026-38329

cve-icon Vulnrichment

Updated: 2026-06-16T13:43:08.274Z

cve-icon NVD

Status : Deferred

Published: 2026-06-15T20:16:27.000

Modified: 2026-06-16T15:16:37.800

Link: CVE-2026-38329

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-26T09:46:42Z

Weaknesses