Description
An issue in the api/plugin.php component of Bludit v3.19.0 allows attackers to execute a directory traversal via supplying a crafted request.
Published: 2026-06-15
Score: 9.8 Critical
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A directory traversal flaw in the api/plugin.php component of Bludit allows an attacker to craft requests that resolve file paths outside the intended directory, providing unauthorized read access to files stored outside the web root. The weakness is classified as CWE‑22 and is quantified with a CVSS score of 9.8, indicating critical risk to confidentiality.

Affected Systems

Bludit version 3.19.0 is explicitly affected by this directory traversal issue in api/plugin.php; no other releases or products were cited as impacted in the CVE data.

Risk and Exploitability

Based on the description, it is inferred that a remote attacker can trigger the traversal by sending a specially crafted HTTP request to the vulnerable endpoint. The EPSS score of less than 1% suggests that exploitation attempts are currently rare and the vulnerability is not listed in the CISA KEV catalog. Nonetheless, the high CVSS rating and the potential for arbitrary file reads maintain a significant risk that warrants swift action.

Generated by OpenCVE AI on June 18, 2026 at 07:16 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the latest vendor‑supplied patch or upgrade Bludit to a version where the directory traversal in api/plugin.php is fixed.
  • If a patch is unavailable, restrict access to the api/plugin.php URL by configuring the web server to allow requests only from trusted IP ranges or hosts.
  • Ensure the web‑server process runs with restrictive file‑system permissions to prevent reading sensitive files outside the web root path.

Generated by OpenCVE AI on June 18, 2026 at 07:16 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 26 Jun 2026 10:45:00 +0000

Type Values Removed Values Added
First Time appeared Bludit
Bludit bludit Cms
Vendors & Products Bludit
Bludit bludit Cms

Thu, 18 Jun 2026 16:45:00 +0000

Type Values Removed Values Added
Title Bludit API Plugin Directory Traversal Allows Unauthorized File Access

Wed, 17 Jun 2026 05:15:00 +0000

Type Values Removed Values Added
Title Bludit API Plugin Directory Traversal Allows Unauthorized File Access

Tue, 16 Jun 2026 15:30:00 +0000

Type Values Removed Values Added
Weaknesses CWE-22
Metrics cvssV3_1

{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}

ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'total'}, 'version': '2.0.3'}


Mon, 15 Jun 2026 19:30:00 +0000

Type Values Removed Values Added
Description An issue in the api/plugin.php component of Bludit v3.19.0 allows attackers to execute a directory traversal via supplying a crafted request.
References

Subscriptions

Bludit Bludit Cms
cve-icon MITRE

Status: PUBLISHED

Assigner: mitre

Published:

Updated: 2026-06-16T14:05:30.539Z

Reserved: 2026-06-07T00:00:00.000Z

Link: CVE-2026-50869

cve-icon Vulnrichment

Updated: 2026-06-16T14:04:10.224Z

cve-icon NVD

Status : Deferred

Published: 2026-06-15T20:16:29.677

Modified: 2026-06-16T15:16:42.767

Link: CVE-2026-50869

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-26T09:46:39Z

Weaknesses
  • CWE-22

    Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')