CVE-2025-26260 Information

Description

Plenti <= 0.7.16 is vulnerable to code execution. Users uploading ‘.svelte’ files with the /postLocal endpoint can define the file name as javascript codes. The server executes the uploaded file name in host and cause code execution.

Reference

https://ahmetakan.com/2025/02/14/cve-2025-26260/ https://github.com/ahmetak4n/vulnerability-playground/tree/main/vulnerability-research/CVE-2025-26260 https://github.com/plentico/plenti/releases/tag/v0.7.17 https://github.com/plentico/plenti/security/advisories/GHSA-mj4v-hp69-27x5