Description
Bludit CMS prior to commit 6732dde contains a reflected cross-site scripting vulnerability in the search plugin that allows unauthenticated attackers to inject arbitrary JavaScript by crafting a malicious search query. Attackers can execute malicious scripts in the browsers of users who visit crafted URLs containing the payload, potentially stealing session cookies or performing actions on behalf of affected users.
Published: 2026-04-21
Score: 5.1 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Reflected Cross‑Site Scripting
Action: Immediate Patch
AI Analysis

Impact

The flaw exists in the Bludit CMS search plugin, where user‑supplied search terms are echoed into the page without proper escaping, allowing an unauthenticated attacker to inject arbitrary JavaScript. The result is a reflected XSS that can run when other users visit the crafted URL, enabling cookie theft or user‑context actions. This vulnerability corresponds to CWE‑79.

Affected Systems

Affected products include Bludit CMS versions released before the security commit 6732dde. Users running those versions are susceptible; the specific affected release range is not listed, but the commit that resolves the issue is available on GitHub, and advisory references indicate that any pre‑commit version is vulnerable.

Risk and Exploitability

The CVSS base score of 5.1 indicates moderate severity. Because the vulnerability is user‑initiated and requires only a crafted URL, the attack surface is wide and feasible; however, the EPSS score is not available, so the current exploitation probability is unknown. The flaw is not listed in CISA KEV, but because it is reflected XSS, any user can trigger it, making it potentially impactful for session hijacking or defacement.

Generated by OpenCVE AI on April 22, 2026 at 05:36 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade to a Bludit release that includes commit 6732dde or later, which sanitizes the search query.
  • Verify that the search functionality reflects inputs only in a safe manner; if the patch cannot be applied, disable or remove the search plugin from the site.
  • As an interim precaution, enforce input validation on the search field to strip out HTML tags or script content.

Generated by OpenCVE AI on April 22, 2026 at 05:36 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 22 Apr 2026 04:45:00 +0000

Type Values Removed Values Added
First Time appeared Bludit
Bludit bludit
Vendors & Products Bludit
Bludit bludit

Wed, 22 Apr 2026 00:00:00 +0000

Type Values Removed Values Added
Description Bludit CMS prior to commit 6732dde contains a reflected cross-site scripting vulnerability in the search plugin that allows unauthenticated attackers to inject arbitrary JavaScript by crafting a malicious search query. Attackers can execute malicious scripts in the browsers of users who visit crafted URLs containing the payload, potentially stealing session cookies or performing actions on behalf of affected users.
Title Bludit CMS Reflected XSS via Search Plugin
Weaknesses CWE-79
References
Metrics cvssV4_0

{'score': 5.1, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N'}

ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Subscriptions

Bludit Bludit
cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-04-21T18:46:34.003Z

Reserved: 2026-04-20T16:07:47.310Z

Link: CVE-2026-41456

cve-icon Vulnrichment

Updated: 2026-04-21T18:46:29.123Z

cve-icon NVD

Status : Deferred

Published: 2026-04-21T19:16:18.557

Modified: 2026-04-22T21:20:25.267

Link: CVE-2026-41456

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-22T05:45:09Z

Weaknesses