Security Advisory - Published 2026-06-17 - Bludit CMS

Bludit CVE-2026-38329 and CVE-2026-50869: check API plugin exposure and files

Two Bludit CMS reports landed together. CVE-2026-38329 affects Bludit before 3.18.4 through API plugin file handling. CVE-2026-50869 is reported against Bludit 3.19.0 and involves directory traversal in the same plugin area. Review public API exposure before trusting the site.

Defensive scope: this page is for Bludit sites you own or are approved to repair. It does not include request paths, payloads, token abuse steps, or instructions for testing sites you do not control.

Who is affected

CVEAffected Bludit stateRisk areaImmediate action
CVE-2026-38329Before 3.18.4API plugin file upload and execution riskUpgrade to 3.18.4 or newer and review uploaded files
CVE-2026-508693.19.0 reportedAPI plugin directory traversal riskRestrict API plugin access and watch vendor guidance

Owner self-check

find . -maxdepth 4 -iname 'bludit' -o -iname 'bl-plugins' -o -iname 'bl-content'
find . -maxdepth 5 -type f | egrep -i 'bludit|version|api|plugin.php'
find bl-content bl-plugins -type f -mtime -10 2>/dev/null | egrep -i '\\.php$|\\.phtml$|\\.phar$|\\.shtml$|\\.zip$|\\.json$'

On shared hosting, use the hosting file manager if shell access is not available. Record the Bludit version, enabled plugins, API plugin state, and last modified files before deleting anything.

Logs and files to review

  • API plugin access after June 15, 2026, especially from addresses that do not match your normal admin location.
  • New or changed files under bl-content, plugin folders, upload folders, cache folders, and the site root.
  • PHP-like files, archives, double extensions, changed JSON metadata, and unfamiliar plugin files.
  • New administrator sessions, password resets, API token changes, or plugin enable and disable activity.
  • Web-server errors followed by file changes or unexpected outbound traffic from the hosting account.

Safe fix path

  1. Upgrade Bludit versions affected by CVE-2026-38329 to 3.18.4 or newer.
  2. Restrict or disable the API plugin unless it is required for a trusted workflow.
  3. Put admin and API access behind VPN, SSO, or IP allow-listing where possible.
  4. Block script execution from upload and content directories at the web-server or hosting-panel layer.
  5. Rotate API tokens, admin passwords, SFTP/FTP credentials, and hosting-panel credentials if suspicious files are found.
  6. Redeploy from a clean backup if file changes cannot be explained.

When to request repair

Use Ping7 CVE Repair if API plugin access was public, unknown PHP-like files appear, admin history is incomplete, or the site hosts forms, payments, accounts, or customer data. Send the Bludit version, plugin list, hosting type, and first suspicious timestamp.

References