Home > Vulnerability Database > CVE-2025-26260

Mend.io Vulnerability Database

CVE-2025-26260

Good to know:

Date: March 11, 2025

Plenti <= 0.7.16 is vulnerable to code execution. Users uploading '.svelte' files with the /postLocal endpoint can define the file name as javascript codes. The server executes the uploaded file name in host, and cause code execution.

Severity Score

8.8

Related Resources (11)

Url: https://github.com/plentico/plenti/security/advisories/GHSA-mj4v-hp69-27x5

Url: https://github.com/plentico/plenti/commit/c3e72a9ebbc2a03f4b0f3104becbfc25e390cb8e

Url: https://github.com/plentico/plenti

Url: https://github.com/plentico/plenti/releases/tag/v0.7.17

Url: https://github.com/ahmetak4n/vulnerability-playground/tree/main/vulnerability-research/CVE-2025-26260

Url: https://pkg.go.dev/vuln/GO-2025-3454

Url: https://ahmetakan.com/2025/02/14/cve-2025-26260

Url: https://ahmetakan.com/2025/02/14/cve-2025-26260/

Url: https://nvd.nist.gov/vuln/detail/CVE-2025-26260

Url: https://pkg.go.dev/vuln/GO-2025-3515

Url: https://www.mend.io/vulnerability-database/CVE-2025-26260

Severity Score

8.8

Weakness Type (CWE)

Improper Control of Generation of Code ('Code Injection')

CWE-94

Top Fix

Upgrade Version

Upgrade to version github.com/plentico/plenti - v0.7.17

Learn More

CVSS v3.1

Base Score:	8.8
Attack Vector (AV):	NETWORK
Attack Complexity (AC):	LOW
Privileges Required (PR):	NONE
User Interaction (UI):	REQUIRED
Scope (S):	UNCHANGED
Confidentiality (C):	HIGH
Integrity (I):	HIGH
Availability (A):	HIGH

Mend.io Vulnerability Database

We found results for “”

CVE-2025-26260

Good to know:

Date: March 11, 2025

Severity Score

Related Resources (11)

Severity Score

Weakness Type (CWE)

Top Fix

Upgrade Version

CVSS v3.1

Do you need more information?