CVE-2026-38329

None

No severity ratings or metrics are available. When they are, we'll update the corresponding info on the page.

Bludit CMS before version 3.18.4 allows Remote Code Execution (RCE) via the API Plugin. The POST /api/files/{key} endpoint in bl-plugins/api/plugin.php fails to perform authorization checks and lacks file extension validation. An attacker with a valid API token can upload a malicious PHP script and execute arbitrary code on the server.

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Related Identifiers

CVE-2026-38329

Affected Products

Undefined

CVE-2026-38329

Related Identifiers

Affected Products

References · 2