Bludit’s API plugin allows an authenticated attacker with a valid API token to upload files of any type and extension without restriction, which can then be executed, leading to Remote Code Execution. This issue was fixed in 3.18.4.CreditsArkadiusz MartaReferenceshttps://cert.pl/posts/2026/03/CVE-2026-25099https://github.com/bludit/bludit/releases/tag/3.18.4
