Executive Summary

CVE-2026-38329 is a Remote Code Execution (RCE) vulnerability in Bludit CMS versions before 3.18.4. It exists in the API Plugin, specifically in the POST /api/files/{key} endpoint within bl-plugins/api/plugin.php.

The vulnerability occurs because this endpoint fails to perform proper authorization checks and does not validate file extensions. As a result, an attacker who has a valid API token—even one with only read permissions—can upload malicious PHP scripts.

Once uploaded, these malicious scripts can be executed on the server, allowing the attacker to run arbitrary code. This is possible because the uploadFile() function does not filter or sanitize filenames, unlike other functions that enforce extension whitelists and input sanitization.

Useful 0 Not Useful 0

Impact Analysis

This vulnerability can have severe impacts as it allows an attacker to execute arbitrary code on the server hosting the Bludit CMS.

• An attacker can upload a malicious PHP webshell and gain control over the server.
• This can lead to unauthorized access to sensitive data, modification or deletion of content, and potential disruption of services.
• The attacker could also use the compromised server as a pivot point to attack other systems within the network.

Useful 0 Not Useful 0

Detection Guidance

This vulnerability can be detected by monitoring for unauthorized or suspicious POST requests to the endpoint /api/files/{key} on Bludit CMS servers prior to version 3.18.4. Specifically, look for POST requests that upload files with PHP extensions or unusual filenames, especially when made using API tokens that should have read-only permissions.

A practical detection method is to check web server logs for POST requests to the vulnerable endpoint that include PHP files or unexpected file uploads.

Example commands to detect potential exploitation attempts include:

• Using grep to find suspicious POST requests in Apache logs: grep -i 'POST /api/files/' /var/log/apache2/access.log | grep -E '\.php'
• Using curl to test if the endpoint accepts file uploads without proper authorization (requires a valid API token): curl -X POST -H "Authorization: Bearer <token>" -F "[email protected]" https://target-site.com/api/files/test
• Checking for uploaded PHP webshell files in the web root or upload directories: find /var/www/html/uploads -name '*.php'

Useful 0 Not Useful 0

Mitigation Strategies

Immediate mitigation steps include:

• Upgrade Bludit CMS to version 3.18.4 or later, where this vulnerability is fixed.
• Restrict API tokens to only those necessary and avoid using tokens with write permissions unless absolutely required.
• Monitor and audit API usage, especially POST requests to /api/files/{key}, to detect any unauthorized file uploads.
• If upgrading immediately is not possible, consider disabling or restricting access to the vulnerable API endpoint.
• Scan the server for any uploaded PHP webshells and remove them.

Useful 0 Not Useful 0

Compliance Impact

The vulnerability allows an attacker with a valid API token to execute arbitrary code on the server by uploading malicious PHP scripts. This can lead to unauthorized access, data breaches, and potential manipulation or theft of sensitive information stored on the affected Bludit CMS server.

Such unauthorized access and potential data compromise can negatively impact compliance with common standards and regulations like GDPR and HIPAA, which require strict controls to protect personal and sensitive data from unauthorized access and breaches.

Useful 0 Not Useful 0