CVE-2026-50869
Deferred Deferred - Pending Action
Directory Traversal in Bludit CMS

Publication date: 2026-06-15

Last updated on: 2026-06-15

Assigner: MITRE

Description
An issue in the api/plugin.php component of Bludit v3.19.0 allows attackers to execute a directory traversal via supplying a crafted request.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-15
Last Modified
2026-06-15
Generated
2026-06-16
AI Q&A
2026-06-15
EPSS Evaluated
N/A
NVD
CVE-2026-50869
EUVD
EUVD-2026-36767
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
bludit bludit 3.19.0
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-UNKNOWN
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-50869 is a vulnerability in Bludit version 3.19.0 that allows an authenticated administrator to perform a directory traversal attack via the API.

The issue occurs in the uploadFile() function in bl-plugins/api/plugin.php, where the filename from the uploaded file is used directly to build the destination path without proper validation or normalization.

This allows an attacker to include path traversal sequences (like ../../../../.htaccess) in the filename, enabling them to upload files outside the intended upload directory.

Impact Analysis

The vulnerability allows an attacker with administrator API access to write files to arbitrary locations on the filesystem.

If the uploaded files are interpreted by the webserver or PHP runtime (for example, .htaccess or .user.ini files), this could lead to altered request handling or even remote code execution.

If such interpretation does not occur, the impact is limited to loss of filesystem integrity due to unauthorized file writes.

Detection Guidance

This vulnerability can be detected by monitoring for suspicious file upload requests to the Bludit API, specifically targeting the api/plugin.php endpoint with filenames containing directory traversal sequences such as "../../".

A practical detection method involves inspecting web server logs or capturing network traffic for multipart upload requests where the filename parameter includes path traversal patterns.

For example, you can use the following command to search web server access logs for suspicious upload attempts:

  • grep -E 'POST .*api/plugin.php' /var/log/apache2/access.log | grep -E '\.\./|\.\.\\'

Additionally, you can use tools like tcpdump or Wireshark to capture HTTP POST requests and filter for filenames containing traversal sequences.

Mitigation Strategies

Immediate mitigation steps include restricting access to the Bludit API to trusted administrators only, ensuring strong authentication is enforced.

Additionally, you should implement input validation and sanitization on the filename parameter to prevent directory traversal sequences from being processed.

If possible, apply patches or updates from the Bludit project that address this vulnerability.

As a temporary workaround, you can monitor and block upload requests with suspicious filenames and restrict write permissions on critical directories to prevent unauthorized file writes.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-50869. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart