CVE-2025-26260
Published: 12 March 2025
Description
Adversaries may abuse various implementations of JavaScript for execution.
Security Summary
CVE-2025-26260 is a code execution vulnerability affecting Plenti versions up to and including 0.7.16. The issue stems from the /postLocal endpoint, which allows users to upload .svelte files where the filename can be crafted to contain JavaScript code. The server executes this filename code directly on the host, leading to arbitrary code execution. The vulnerability carries a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H) and is classified under CWE-94 (Code Injection).
A remote, unauthenticated attacker can exploit this vulnerability by tricking a user into uploading a specially crafted .svelte file via the /postLocal endpoint. The user interaction requirement (UI:R) typically involves social engineering, such as phishing, to induce the upload. Successful exploitation grants the attacker high-impact control over confidentiality, integrity, and availability on the affected server through executed JavaScript code.
Official mitigations are detailed in Plenti's GitHub security advisories (GHSA-mj4v-hp69-27x5) and release notes for version 0.7.17, which patches the flaw. Security practitioners should upgrade to v0.7.17 or later. Further technical details, including a vulnerability playground, are available in the referenced GitHub repository and blog post.
Details
- CWE(s)
Affected Products
MITRE ATT&CK Enterprise Techniques
Why these techniques?
The vulnerability in Plenti's /postLocal endpoint allows remote attackers to achieve code execution by uploading .svelte files with filenames containing arbitrary JavaScript code that the server executes, enabling exploitation of public-facing applications and JavaScript command execution.