CVE-2026-38329
CriticalCVSS 9.8Exploitation Probability (EPSS)
Low risk11th percentile — higher than 11% of all known CVEs
Summary
Bludit CMS before version 3.18.4 allows Remote Code Execution (RCE) via the API Plugin. The POST /api/files/{key} endpoint in bl-plugins/api/plugin.php fails to perform authorization checks and lacks file extension validation.
Risk Assessment
An attacker with a valid API token can upload a malicious PHP script and execute arbitrary code on the server, posing a serious security threat to the system.
Recommendation
It is recommended to update Bludit CMS to version 3.18.4 or later and implement additional authorization verification and file extension validation mechanisms.
Original NVD description (English source)
Bludit CMS before version 3.18.4 allows Remote Code Execution (RCE) via the API Plugin. The POST /api/files/{key} endpoint in bl-plugins/api/plugin.php fails to perform authorization checks and lacks file extension validation. An attacker with a valid API token can upload a malicious PHP script and execute arbitrary code on the server.

