PatchSiren cyber security CVE debrief
CVE-2026-38329 Bludit CVE debrief
CVE-2026-38329 is a Remote Code Execution (RCE) vulnerability in Bludit CMS before version 3.18.4. The vulnerability is caused by the lack of authorization and file extension validation in the POST /api/files/{key} endpoint in bl-plugins/api/plugin.php. An attacker with a valid API token can upload a malicious PHP script and execute arbitrary code on the server. For more information, see [cve-org](https://www.cve.org/CVERecord?id=CVE-2026-38329) and [nvd](https://nvd.nist.gov/vuln/detail/CVE-2026-38329).
- Vendor
- Bludit
- Product
- Bludit CMS
- CVSS
- Unknown
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-06-15
- Original CVE updated
- 2026-06-15
- Advisory published
- 2026-06-15
- Advisory updated
- 2026-06-15
Who should care
Users of Bludit CMS before version 3.18.4 should update to the latest version to prevent this vulnerability from being exploited.
Technical summary
The vulnerability is caused by the lack of authorization and file extension validation in the POST /api/files/{key} endpoint in bl-plugins/api/plugin.php. An attacker with a valid API token can upload a malicious PHP script and execute arbitrary code on the server.
Defensive priority
High
Recommended defensive actions
- Update Bludit CMS to version 3.18.4 or later.
- Restrict access to the API Plugin.
- Monitor for suspicious activity on the server.
Evidence notes
The vulnerability was reported via [ref-4](https://gist.github.com/Ki1ro0133/8bd14bd4fc6fab81c907d838a7aeee55).
Official resources
-
CVE-2026-38329 CVE record
CVE.org
-
CVE-2026-38329 NVD detail
NVD
-
Source item URL
nvd_modified
- Source reference
public