Share
## https://sploitus.com/exploit?id=A02070EE-167A-5F7F-930D-FC8815B5D40A
# CVE-2026-25099 โ€” Bludit CMS API Unrestricted File Upload to RCE

## Description

Bludit CMS versions before 3.18.4 allow an authenticated attacker with a valid API token to upload files of any type and extension via the `POST /api/files/` endpoint. The `uploadFile()` function performs no file extension or content validation, allowing PHP webshells to be uploaded and executed as `www-data`.

## Affected Versions

- **Vulnerable:** Bludit  whoami
www-data
shell> grep BLUDIT_VERSION /var/www/html/bl-kernel/boot/init.php
define('BLUDIT_VERSION', '3.18.2');
```

## Screenshots

![PoC Execution](screenshots/poc-execution.jpg)

## Remediation

- Update to Bludit 3.18.4 or later
- Disable the API plugin if not needed
- Monitor `/bl-content/uploads/` for unexpected PHP files

## References

- [CVE-2026-25099 on MITRE](https://vulners.com/cve/CVE-2026-25099)
- [Bludit 3.18.4 Release](https://github.com/bludit/bludit/releases/tag/3.18.4)
- [OWASP File Upload Cheat Sheet](https://cheatsheetseries.owasp.org/cheatsheets/File_Upload_Cheat_Sheet.html)

## Author

**Yahia Hamza** - [https://yh.do](https://yh.do)

## Disclaimer

This tool is provided for authorized security testing and educational purposes only. Use responsibly and only against systems you have permission to test.