Login Sign Up

CVE-2025-26260

8.8 HIGH
Remote Code Execution

📋 TL;DR

Plenti versions up to 0.7.16 are vulnerable to remote code execution via the /postLocal endpoint. Attackers can upload .svelte files with malicious JavaScript code in the filename, which the server executes on the host. This affects all Plenti users with the vulnerable endpoint exposed.

💻 Affected Systems

Products:
  • Plenti
Versions: <= 0.7.16
Operating Systems: All platforms running Plenti
Default Config Vulnerable: ⚠️ Yes
Notes: All default configurations with the /postLocal endpoint enabled are vulnerable.

📦 What is this software?

Plenti by Plenti

View all CVEs affecting Plenti →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Full server compromise allowing attackers to execute arbitrary commands, steal data, install malware, or pivot to other systems.

🟠

Likely Case

Unauthorized code execution leading to data exfiltration, service disruption, or backdoor installation.

🟢

If Mitigated

Limited impact if endpoint is properly restricted, but still poses significant risk if exploited.

🌐 Internet-Facing: HIGH - The /postLocal endpoint is typically accessible over network, making internet-facing instances highly vulnerable.
🏢 Internal Only: HIGH - Even internal instances are at risk from insider threats or compromised internal systems.

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: UNKNOWN
Unauthenticated Exploit: ✅ No
Complexity: MEDIUM

Exploitation requires access to the /postLocal endpoint and knowledge of the vulnerability, but no authentication bypass is needed.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: v0.7.17

Vendor Advisory: https://github.com/plentico/plenti/security/advisories/GHSA-mj4v-hp69-27x5

Restart Required: No

Instructions:

1. Update Plenti to version 0.7.17 or later. 2. Run 'npm update plenti' or equivalent package manager command. 3. Verify the update completed successfully.

🔧 Temporary Workarounds

Disable /postLocal endpoint

all

Remove or restrict access to the vulnerable endpoint if not required.

Configure firewall rules to block access to /postLocal endpoint
Modify Plenti configuration to disable the endpoint

🧯 If You Can't Patch

  • Implement strict input validation for file uploads, rejecting any filenames containing executable code.
  • Deploy a web application firewall (WAF) with rules to detect and block malicious file upload patterns.

🔍 How to Verify

Check if Vulnerable:

Check Plenti version: if version <= 0.7.16 and /postLocal endpoint is accessible, the system is vulnerable.

Check Version:

plenti --version or check package.json for version

Verify Fix Applied:

Verify Plenti version is 0.7.17 or later and test that malicious .svelte file uploads no longer execute code.

📡 Detection & Monitoring

Log Indicators:

  • Unusual file uploads to /postLocal endpoint
  • .svelte files with suspicious filenames containing JavaScript code
  • Unexpected process execution following file uploads

Network Indicators:

  • HTTP POST requests to /postLocal with .svelte files
  • Unusual outbound connections from Plenti server after uploads

SIEM Query:

source="plenti" AND (url_path="/postLocal" OR file_extension=".svelte")

📊 Metadata

CVE ID: CVE-2025-26260
CVSS v3 Score: 8.8 (HIGH)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
CWE: CWE-94
EPSS Score: 0.92% exploit probability (75.5th percentile)
Published: March 12, 2025
Last Updated: October 2, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-26260, you might also want to check these:

CVE-2025-62521 10.0

CVE-2025-62521 is a critical pre-authentication remote code execution vulnerability in ChurchCRM tha...

Same vulnerability type (CWE-94)
CVE-2026-26216 10.0

Crawl4AI versions before 0.8.0 contain an unauthenticated remote code execution vulnerability in the...

Same vulnerability type (CWE-94)
CVE-2021-22205 10.0

CVE-2021-22205 is a critical remote code execution vulnerability in GitLab CE/EE where improper vali...

Same vulnerability type (CWE-94)