Back to KEVs

CVE-2024-49380

Plenti arbitrary file write vulnerability

Basic Information

CVE State
PUBLISHED
Reserved Date
October 14, 2024
Published Date
October 25, 2024
Last Updated
October 25, 2024
Vendor
plentico
Product
plenti
Description
Plenti, a static site generator, has an arbitrary file write vulnerability in versions prior to 0.7.2. The `/postLocal` endpoint is vulnerable to an arbitrary file write vulnerability when a plenti user serves their website. This issue may lead to Remote Code Execution. Version 0.7.2 fixes the vulnerability.
Tags
nuclei_scanner

CVSS Scores

CVSS v4.0

8.9 - HIGH

Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P

SSVC Information

Exploitation
poc
Automatable
Yes
Technical Impact
total

Exploit Status

Exploited in the Wild
Yes (2026-02-14 00:00:00 UTC) Source

References

https://securitylab.github.com/advisories/GHSL-2024-297_GHSL-2024-298_plenti/ https://github.com/plentico/plenti/blob/01825e0dcd3505fac57adc2edf29f772d585c008/cmd/serve.go#L205 https://github.com/plentico/plenti/releases/tag/v0.7.2

Known Exploited Vulnerability Information

Source Added Date
The Shadowserver (via CIRCL) 2026-02-14 00:00:00 UTC

Scanner Integrations

Scanner URL Date Detected
Nuclei https://github.com/projectdiscovery/nuclei-templates/blob/main/http/cves/2024/CVE-2024-49380.yaml 2025-04-25 00:00:00 UTC

Timeline

  • CVE ID Reserved

  • CVE Published to Public

  • Detected by Nuclei

  • Added to KEVIntel