Bludit API plugin allows authenticated upload of any file, remote code execution risk that could turn websites into a data breach
What happened
Bludit’s API plugin, according to a fresh advisory, lets an authenticated actor with a valid API token upload files of any type and extension without restriction, and those files can be executed, creating a path to remote code execution.
The issue is tracked as CVE-2026-25099, rated 8.7 (HIGH), and was reported about 23 minutes ago. The vendor has issued a fix in Bludit version 3.18.4.
Who is affected, in plain terms: any site running Bludit with the vulnerable API plugin enabled and accepting API tokens, prior to moving to 3.18.4. The advisory does not disclose how it was discovered, nor whether active exploitation in the wild is occurring right now.
Why this matters to businesses
Since Bludit is a content management system, organisations using it run public-facing web assets that customers and partners trust. If an attacker can upload and execute arbitrary files, that trust evaporates fast.
Consequences include site defacement, malware or cryptominer hosting, data exfiltration from the web host, or pivoting to other infrastructure via credentials or local network access. That leads to downtime, cleanup costs, potential contract losses and regulatory headaches if customer data is involved.
And yes, this is the sort of thing that happens when public-facing CMS endpoints are treated like background noise and patching is put on the “later” shelf.
If you’ve got the same weakness, here’s what happens next
If an attacker with a token uploads a web shell or executable, they can run commands as the web user, plant persistence and move laterally. Files that look harmless can be executable on some servers, so a single upload is enough.
Following that, you can expect a messy response: forensics, rebuilds, rotated keys, emergency meetings and a PR note. Recovery costs climb quickly, and evidence needed for regulators or insurers may be incomplete if logging and backups weren’t configured correctly.
What to do on Monday morning
-
Inventory every public site, staging site and server using Bludit, and note plugin usage and versions.
-
Patch immediately to Bludit 3.18.4 where possible, or apply vendor mitigations if you can’t upgrade that fast.
-
Rotate and revoke any API tokens, keys and credentials that could be used by the API plugin, on principle of least privilege.
-
Scan web roots and upload directories for unexpected files, check recent file modification times, and search for common web shell signatures in logs and on disk.
-
Review web server configuration so uploaded files cannot execute (for example, store uploads outside web root or mark storage private), and apply strict MIME and extension checks server-side.
-
Ensure logging and alerting are turned on for file uploads and suspicious execution events, and collect logs off-box before you start any clean-up.
-
Test restores from known-good backups before you rebuild, and plan to involve hosting and incident response suppliers early if you find indicators of compromise.
Where ISO standards fit, without the sales pitch
Having an ISO-aligned system helps you avoid this exact mess. For example, an asset register and patch management process driven by ISO 27001 would make it obvious which sites run Bludit and need urgent updates.
Since continuity and recovery matter when a public site is compromised, a tested business continuity plan based on ISO 22301 reduces scramble time and keeps customers informed while you fix the problem.
For smaller organisations and baseline controls, certifications like those outlined at IASME map to simple, practical controls: inventories, patching, access control and secure configuration, which would have limited the blast radius here.
Wrap-up
If you run Bludit, treat this as a live priority: identify instances, patch to 3.18.4, revoke API tokens and hunt for unexpected uploads. It’s not glamorous, but it’s the work that stops a minor hole becoming a full breach.