Bludit API Plugin Unrestricted File Upload RCE

This repository is a small standalone Python proof-of-concept exploit for CVE-2026-25099 affecting Bludit CMS versions earlier than 3.18.4. It contains two files: the main exploit script, CVE-2026-25099.py, and a README describing usage, affected versions, remediation, and sample output. The exploit automates a full authenticated attack chain against Bludit's API plugin. First, it queries GET /api/pages with a provided API token to obtain a valid page key. Next, it abuses POST /api/files/<page-key> to upload an arbitrary PHP file because the vulnerable endpoint does not validate file extension or content. The script generates a random .php filename and uploads a minimal webshell that executes commands passed through the cmd request parameter using PHP's system() function. After upload, it derives the expected public shell location under /bl-content/uploads/pages/<page-key>/<random>.php, verifies code execution by running id, and then either executes a single operator-supplied command or enters an interactive command loop. Structurally, the Python code is straightforward and organized into helper functions: get_page_key() for API enumeration, upload_shell() for exploitation, execute_command() for post-exploitation command execution, and main() for CLI handling and workflow orchestration. It uses argparse for command-line arguments and requests for HTTP communication. There is no framework dependency, no persistence logic, and no advanced evasion or payload staging. The exploit is operational because it includes a working payload and interactive command execution, but it is still a simple PoC-style tool rather than a heavily weaponized framework module. The main capability is authenticated remote code execution via arbitrary file upload leading to a webshell. The key prerequisite is possession of a valid Bludit API token and access to a vulnerable instance with the API plugin enabled.