What is CVE-2026-25099?

CVE-2026-25099 is a vulnerability in Bludit, classified under Unrestricted Upload of File with Dangerous Type. Published 2026-03-27.

Is CVE-2026-25099 known to be exploited?

1 public proof-of-concept repositories are indexed. Not currently listed in the CISA KEV catalog.

Arbitrary file upload in Bludit

CVE-2026-25099

Bludit’s API plugin allows an authenticated attacker with a valid API token to upload files of any type and extension without restriction, which can then be executed, leading to Remote Code Execution. This issue was fixed in 3.18.4.

Vulnerability class: Unrestricted File Upload

EPSS: 0.005 (67.6th percentile) — read the EPSS interpretation.

Affected products

Bludit — versions 0

Weakness classification (CWE)

CWE-434 — Unrestricted Upload of File with Dangerous Type

Public proof-of-concept exploits

yahiahamza/CVE-2026-25099

References

cert.pl/posts/2026/03/CVE-2026-25099 (third-party-advisory)
github.com/bludit/bludit/releases/tag/3.18.4 (release-notes)

Frequently asked questions

What is CVE-2026-25099?: CVE-2026-25099 is a vulnerability in Bludit, classified under Unrestricted Upload of File with Dangerous Type. Published 2026-03-27.
Is CVE-2026-25099 known to be exploited?: 1 public proof-of-concept repositories are indexed. Not currently listed in the CISA KEV catalog.