Remote Code Execution in Bludit CMS 3.18.4 (CVE‑2026‑25099) Affects Websites Using the Open‑Source CMS
What Happened — The API plugin in Bludit CMS < 3.18.4 accepts file uploads without validating extensions or content. An attacker who obtains a valid API token can upload a PHP web‑shell, which executes as the web‑server user (www‑data) and provides full remote code execution. The flaw is tracked as CVE‑2026‑25099 and was patched in version 3.18.4.
Why It Matters for TPRM —
- RCE on a third‑party web application can be leveraged to pivot into the broader corporate network.
- Compromise of an API token often stems from mis‑configuration or credential reuse, exposing supply‑chain risk.
- Many small‑to‑mid‑size enterprises rely on Bludit for public‑facing sites; a breach can affect brand reputation and data integrity.
Who Is Affected — Media & publishing firms, marketing agencies, small‑business e‑commerce sites, and any organization that deploys Bludit CMS (open‑source) for web content.
Recommended Actions —
- Upgrade all Bludit installations to 3.18.4 or later immediately.
- Rotate all API tokens and enforce least‑privilege access to the API plugin.
- Harden the web server: disable execution of PHP in upload directories, apply WAF rules to block suspicious file types.
- Conduct token‑leak audits (logs, backups, mis‑configurations) and monitor for anomalous file‑upload activity.
Technical Notes — Attack vector: unauthenticated file‑upload via the /api/files/<page-key> endpoint using a stolen or exposed API token. No CVE‑specific patch exists prior to 3.18.4. Exploit code publicly available on Exploit‑DB (EDB‑ID 52553). Affected data types: server‑side code execution, potential access to stored credentials and proprietary content. Source: https://www.exploit-db.com/exploits/52553