Bludit fixes authenticated file upload leading to RCE

TL;DR — If Bludit’s API plugin is enabled, an attacker with a valid API token can upload and execute arbitrary files, resulting in remote code execution.

What happened

Bludit is an open-source, flat-file PHP CMS. CVE-2026-25099 reports that Bludit’s API plugin allows an authenticated attacker (with a valid API token) to upload files of any type/extension “without restriction,” and those files can then be executed, leading to remote code execution.

The CVE record notes the API plugin is disabled by default and must be manually enabled by an administrator. The CVE assigns a CVSS v4.0 base score of 8.7 (High) with network attack vector, low attack complexity, and no user interaction.

Unrestricted upload remains a repeatable “short path” to RCE in PHP CMS deployments; when API tokens are exposed via logs, CI/CD, or third-party integrations, the reachable attack surface grows quickly.

Who is impacted

• Instances running bludit versions < 3.18.4 (per CVE affected-version range).
• Deployments where Bludit’s API plugin has been enabled (the CVE notes it is disabled by default).
• Environments where an attacker can obtain or misuse a valid API token (CVSS privileges required: Low).

What to do now

• Follow vendor remediation guidance and apply the latest patched release available at the time of writing.

  "This issue was fixed in 3.18.4."

• Confirm whether the API plugin is enabled in any internet-reachable Bludit deployments; if it is enabled, treat the upload surface as production-critical.
• Audit API token handling (generation, storage, logging, CI/CD variables) and rotate tokens that may have been exposed, especially for externally accessible instances.
• Review web server logs and filesystem changes for unexpected uploaded files (pay extra attention to web-accessible upload paths and recently modified executable content).