cvedb.io
CVE-2025-26260
HIGH · CVSS 8.8
EPSS exploitation probability: 0%
Published 2025-03-12T16:15:23.907 · Last modified 2026-06-17T09:01:32.257

Summary

Plenti <= 0.7.16 is vulnerable to code execution. Users uploading '.svelte' files with the /postLocal endpoint can define the file name as javascript codes. The server executes the uploaded file name in host, and cause code execution.

Affected products

plenti — plenti

Does this affect you?

Add your gear to cvedb and we'll alert you only when plenti ships something exploited.

Check my exposure →

References

This product uses data from the NVD API but is not endorsed or certified by the NVD. Informational only; not professional security advice.