CVE Catalog

CVE-2026-38329

CriticalCVSS 9.8
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Low risk
0.21%

11th percentile — higher than 11% of all known CVEs

Summary

Bludit CMS before version 3.18.4 allows Remote Code Execution (RCE) via the API Plugin. The POST /api/files/{key} endpoint in bl-plugins/api/plugin.php fails to perform authorization checks and lacks file extension validation.

Risk Assessment

An attacker with a valid API token can upload a malicious PHP script and execute arbitrary code on the server, posing a serious security threat to the system.

Recommendation

It is recommended to update Bludit CMS to version 3.18.4 or later and implement additional authorization verification and file extension validation mechanisms.

Original NVD description (English source)

Bludit CMS before version 3.18.4 allows Remote Code Execution (RCE) via the API Plugin. The POST /api/files/{key} endpoint in bl-plugins/api/plugin.php fails to perform authorization checks and lacks file extension validation. An attacker with a valid API token can upload a malicious PHP script and execute arbitrary code on the server.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS