CVE-2025-26260

Name of the Vulnerable Software and Affected Versions: Plenti versions 0.7.16 and earlier

Description: The issue allows code execution when users upload '.svelte' files with the /postLocal endpoint and define the file name as javascript codes. The server executes the uploaded file name, causing code execution. This can lead to a Denial of Service impact due to the sandboxing. If there is a vulnerability in v8go that allows escaping the sandbox, different impacts can be shown.

Recommendations: For Plenti versions 0.7.16 and earlier, as a temporary workaround, consider restricting access to the /postLocal endpoint to minimize the risk of exploitation. Avoid using the file parameter in the affected API endpoint until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.