External risk intelligence

Bludit CMS API Plugin Remote Code Execution

CVE advisorySeverity: CRITICAL (CVSS 9.8)

CVE-2026-38329

A critical vulnerability in Bludit CMS's API plugin allows remote code execution. This flaw, stemming from insufficient authorization and validation in a file upload endpoint, could enable an attacker with an API token to upload and execute malicious scripts on the server.

4Halo Surface Signal

Remote Code Execution

External exposure likelihood

Halo Surface Signal score for CVE-2026-38329

The vulnerability resides in a CMS API endpoint designed for file operations. Content management systems and their associated APIs are commonly deployed as internet-facing web services to facilitate content updates and remote management, making this surface frequently reachable from the public internet.

PCI scan relevance

PCI Relevance for CVE-2026-38329

Yes

CVE-2026-38329 — Halo PCI Relevance: Yes. Under typical PCI ASV external scan criteria, this issue may be flagged for scan prioritization.

This CVE is PCI scan-relevant because it allows Remote Code Execution (RCE), which is a critical vulnerability that typically causes ASV scan failures.

Scan-prioritization guidance only—not a PCI DSS certification or ASV attestation.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Horizon Alert

Summary of the vulnerability and why it matters

This advisory concerns a critical vulnerability in Bludit CMS that could allow remote code execution through its API plugin. The flaw involves insufficient authorization and validation checks, potentially enabling an attacker with an API token to upload and run malicious scripts on the server.

  • Code execution flaw in CMS API plugin.
  • Allows remote attackers to upload malicious scripts.
  • Confirm relevance and assess potential exposure.

Attack Path

How an attacker could exploit the issue

An attacker with an API token can upload a malicious PHP script through a vulnerable API endpoint. This occurs because the endpoint fails to properly check authorization and validate file types, potentially leading to the execution of arbitrary code on the server.

  • Requires a valid API token.
  • Uploading a malicious PHP script.
  • Remote code execution on server.

Live Threat

Current exploitation, exposure, and threat context

A vulnerability in the API plugin of Bludit CMS could allow an unauthenticated attacker to execute arbitrary code on the server when supported by the advisory. This occurs because the API endpoint for file uploads does not properly check authorization or validate file extensions, enabling the upload and execution of malicious PHP scripts.

  • Server-side code execution.
  • Uploading malicious scripts via API.
  • Complete server compromise.

Operational Fix

Recommended remediation, mitigation, and detection steps

The Bludit CMS API Plugin's vulnerability requires action from teams responsible for web application security and content management systems. The first practical step is to identify all instances of Bludit CMS, determine their exposure and business criticality, and locate the accountable system owner. Remediation planning should then proceed based on the assessed risk.

  • Application owners should manage the issue.
  • Verify API endpoint reachability and impact.
  • Plan remediation based on risk assessment.

Validate whether this threat affects your internet-facing exposure.

Halo Threat Intelligence helps prioritize remediation with Halo Surface Signal and H/A/L/O context. Start exposure validation with a free external attack surface trial.

Free EASM Trial See How Signal Works

Frequently asked questions

What is Bludit CMS?

Bludit is a flat-file content management system designed to create websites and blogs without needing a database. It stores content in simple text files, making it lightweight and fast. This vulnerability affects the API plugin, a component often used for remote site management or automated content updates.

Why is CVE-2026-38329 considered a Remote Code Execution risk?

This vulnerability falls under the weakness class of Improper Authorization (CWE-862). Because the API endpoint fails to verify permissions or restrict file types, an attacker can bypass security controls to upload a PHP script. Once uploaded, the server processes the file, granting the attacker the ability to execute unauthorized commands or gain control over the application environment.

How does an attacker trigger this vulnerability?

An attacker needs a valid API token to interact with the vulnerable file upload endpoint. Simply visiting the site or attempting to upload files without this credential will not trigger the bug. The issue is specifically tied to the processing logic within the API plugin that fails to validate the nature of the files being submitted.

Do I need to worry if my Bludit instance is internal?

Halo Surface Signal indicates that Bludit instances are frequently deployed as internet-facing services to enable remote content management, which significantly increases risk. If your instance is hosted on the public internet, it is directly reachable by external actors. If it is strictly internal, the risk is lower but still requires management based on your internal security policies.

When should I prioritize addressing this Bludit CMS issue?

You should begin by cataloging every instance of Bludit CMS running in your environment to understand your total footprint. Once identified, evaluate the role and network visibility of each system. Prioritize updates for any instances that are reachable from the internet or hold sensitive data, and coordinate with the respective system owners to apply the necessary security fixes.

References

Sources and related resources

Primary sources: NVD, CVE.org.

NVDPublished Modified