Bludit CMS 3.18.4 - RCE Vulnerability Discovered

Bludit CMS 3.18.4 - RCE Vulnerability 🚨

A Remote Code Execution (RCE) vulnerability has been identified as CVE-2026-25099 in Bludit CMS versions prior to 3.18.4. This exploit, dated 2026-03-28, was authored by Yahia Hamza. The exploit title is: Bludit CMS 3.18.4 - RCE.

Vulnerability Details

The core of the vulnerability lies in the fact that the Bludit CMS API plugin allows an authenticated user with a valid API token to upload files of any type and extension via POST /api/files/<page-key>. The uploadFile() function within this plugin performs no file extension or content validation, critically allowing the upload of PHP webshells that execute as www-data.

The API token, which is a prerequisite for exploiting this flaw, is generated when the API plugin is activated and is visible to users with admin panel access. Researchers also note that tokens may be exposed through misconfiguration, log files, or other application vulnerabilities, broadening potential attack vectors. The exploit was successfully tested on systems running Ubuntu 24.04 LTS, Apache 2.4, and PHP 8.3.

Exploit Process

This vulnerability has been fixed in Bludit 3.18.4. The exploit demonstrates a clear path to RCE, starting with “Retrieving page key…” from the Bludit API. Subsequently, the exploit proceeds to “Uploading webshell…” via the unrestricted file upload endpoint. After upload, “Verifying RCE…” is performed, and “RCE confirmed” upon successful execution. The process allows an attacker to “Execute a command via the uploaded webshell.”

Usage Examples

Usage examples provided for the Python exploit include:

• python3 CVE-2026-25099.py -u http://target -t API_TOKEN for an interactive shell.
• python3 CVE-2026-25099.py -u http://target -t API_TOKEN -c "id" to execute a specific command.

This provides an Interactive shell (type ‘exit’ to quit) capability.

For more details, you can read the complete article here: Read full article