CVE-2026-25099
Remote Code Execution via Unrestricted File Upload in BluditBludit’s API plugin allows an authenticated attacker with a valid API token to upload files of any type and extension without restriction, which can then be executed, leading to Remote Code Execution. This issue was fixed in 3.18.4.
We have discovered 1,299 live websites that are affected by CVE-2026-25099.
Affected Software
| Product | |
| Category | Content Management System |
| Vulnerable Domains | 1,299 live websites (100% of Bludit install base) |
| Vulnerable Versions |
|
| Vulnerable Versions Count | 20 versions ( 91% of all versions) |
Common Weakness Enumeration
CWE-434 Unrestricted Upload of File with Dangerous TypeDetails
- Published - Mar 27, 2026
- Updated - Mar 27, 2026
Credits
- Arkadiusz Marta (finder)
CVE References
CWE References
CWE
Website Distribution by Country
Number of websites using CVE-2026-25099 United States | 254 websites |
 Germany | 415 websites |
 Ukraine | 138 websites |
 France | 73 websites |
 Poland | 63 websites |
 Russia | 58 websites |
 Switzerland | 46 websites |
 Czech Republic | 24 websites |
 GB | 23 websites |
 Italy | 19 websites |
Website Distribution by TLD
Number of websites using CVE-2026-25099| .de | 318 websites |
| .com | 249 websites |
| .fr | 86 websites |
| .net | 56 websites |
| .ru | 50 websites |
| .pl | 47 websites |
| .org | 47 websites |
| .ch | 44 websites |
| .eu | 26 websites |
| .cz | 23 websites |
Vulnerable Versions
Vulnerable versions are highlighted in redWebsites affected by CVE-2026-25099
Top websites that are affected by CVE-2026-25099. Please click on the "Contact us" link to get more information.| Domain | Country | Rank | Contacts |
|---|---|---|---|
| ******.de | Germany | *,*** | |
| *******.de | Germany | *,*** | |
| *************.de | Germany | *,*** | |
| *****************.jetzt | Germany | **,*** | |
| ************.io | United States | **,*** | |
| ********.com | United States | ***,*** | |
| *********.com | United States | ***,*** | |
| ******.de | Germany | ***,*** | |
| *****.com | United States | ***,*** | |
| ************.eu | United States | ***,*** |
FAQ
CVE-2026-25099 is Unrestricted Upload of File with Dangerous Type in Bludit
A total of 1,299 websites have been identified as vulnerable to CVE-2026-25099, based on global website indexing conducted by WebTechSurvey.
The Bludit is affected by the CVE-2026-25099 vulnerability.
Bludit versions up to 3.18.4 are vulnerable to CVE-2026-25099.
CVE-2026-25099 is resolved in version 3.18.4 of Bludit.