Description
Bludit version 3.16.2 contains a stored cross-site scripting (XSS) vulnerability in the post content functionality. The application performs client-side sanitation of content input but does not enforce equivalent sanitation on the server side. An authenticated user can inject arbitrary JavaScript into the content field of a post, which is stored and later rendered to other users without proper output encoding. When viewed, the injected script executes in the context of the victim’s browser, allowing session hijacking, credential theft, content manipulation, or other actions within the user’s privileges.
Published: 2026-02-23
Score: 5.1 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Stored cross‑site scripting that can lead to session hijacking and credential theft.
Action: Apply Patch
AI Analysis

Impact

Bludit version 3.16.2 includes a stored cross‑site scripting flaw that allows an authenticated user to inject arbitrary JavaScript into the post content field. The application only sanitizes input on the client side and fails to apply equivalent server‑side filtering or output encoding. When another user views the post, the malicious script executes in the victim’s browser, giving the attacker the ability to hijack the session, steal credentials, or modify content within the victim’s privileges. This represents a typical CWE‑79 vulnerability involving unsanitized reflected input rendered as HTML.

Affected Systems

The affected product is the Bludit content management system, specifically any installation running version 3.16.2 or earlier. No other vendors or product variants are listed as impacted, and the issue originates from the post‑content handling logic within the CMS core.

Risk and Exploitability

The CVSS base score of 5.1 indicates a moderate risk, and the EPSS score of less than 1% points to a very low likelihood of exploitation in the wild at the time of this assessment. The vulnerability is not currently listed in the CISA Key Exploited Vulnerabilities catalog. The attack vector is a stored XSS that requires an authenticated user to insert malicious payloads; once an attacker creates a post containing the script, any unprivileged user who views that post will be exposed.

Generated by OpenCVE AI on April 16, 2026 at 16:34 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade to the latest Bludit release (later than 3.16.2) which includes server‑side sanitization for post content.
  • If an upgrade is not immediately possible, enforce a strict Content Security Policy that disallows inline scripts and restricts script sources to trusted origins.
  • As a temporary measure, restrict or disable the ability for authenticated users to create or edit posts until the patch or policy is applied, or apply server‑side filtering to escape HTML characters before storing content.

Generated by OpenCVE AI on April 16, 2026 at 16:34 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 26 Feb 2026 19:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 26 Feb 2026 03:15:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:bludit:bludit:*:*:*:*:*:*:*:*

Tue, 24 Feb 2026 10:00:00 +0000

Type Values Removed Values Added
First Time appeared Bludit
Bludit bludit
Vendors & Products Bludit
Bludit bludit

Mon, 23 Feb 2026 22:15:00 +0000

Type Values Removed Values Added
Description Bludit version 3.16.2 contains a stored cross-site scripting (XSS) vulnerability in the post content functionality. The application performs client-side sanitation of content input but does not enforce equivalent sanitation on the server side. An authenticated user can inject arbitrary JavaScript into the content field of a post, which is stored and later rendered to other users without proper output encoding. When viewed, the injected script executes in the context of the victim’s browser, allowing session hijacking, credential theft, content manipulation, or other actions within the user’s privileges.
Title Bludit <= 3.16.2 Stored XSS in Post Content
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 5.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N'}

cvssV4_0

{'score': 5.1, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N'}

Subscriptions

Bludit Bludit
cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-03-05T01:31:24.004Z

Reserved: 2026-02-23T21:38:48.841Z

Link: CVE-2026-27742

cve-icon Vulnrichment

Updated: 2026-02-25T15:34:23.476Z

cve-icon NVD

Status : Analyzed

Published: 2026-02-23T22:16:25.440

Modified: 2026-02-26T03:04:02.447

Link: CVE-2026-27742

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-16T16:45:25Z

Weaknesses