Description
Bludit is vulnerable to Stored Cross-Site Scripting (XSS) in its page creating functionality. An authenticated attacker with page creation privileges (such as Author, Editor, or Administrator) can embed a malicious JavaScript payload in the tags field of a newly created article. This payload will be executed when a victim visits the URL of the uploaded resource. The uploaded resource itself is accessible without authentication. Critically, this vulnerability could be used to automatically create a new site administrator if the victim has enough privileges. 

The vendor was notified early about this vulnerability, but didn't respond with the details of vulnerability or vulnerable version range. Only versions 3.17.2 and 3.18.0 were tested and confirmed as vulnerable, other versions were not tested and might also be vulnerable.
Published: 2026-04-07
Score: 5.1 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Stored Cross‑Site Scripting via tags field
Action: Immediate Patch
AI Analysis

Impact

Bludit allows authenticated users with page‑creation rights to insert arbitrary JavaScript into the tags field of a newly created article. Because the tags field is rendered without escaping, the script runs in any browser that opens the article’s URL, creating a classic stored XSS. An attacker can abuse this to steal session cookies, deface the site, execute arbitrary actions on behalf of the victim, or, if the victim possesses higher‑level administrative privileges, automatically create a new administrator account.

Affected Systems

The vulnerability has been verified on Bludit versions 3.17.2 and 3.18.0. Other releases were not formally tested but are suspected to be affected as well, so any site running versions from this range should be treated as at risk.

Risk and Exploitability

The CVSS score of 5.1 indicates moderate severity. Because the exploit requires an authenticated account with article‑creation rights, the risk is limited to sites with loose permission controls or where attackers can compromise a low‑privilege user. The missing EPSS data and absence from the KEV catalog suggest exploitation is not yet widespread, but the potential to elevate privileges by auto‑creating an administrator elevates the threat level for sites with exposed vulnerable functionality.

Generated by OpenCVE AI on April 7, 2026 at 12:20 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the vendor‑issued patch or upgrade to a non‑vulnerable version as soon as it becomes available.
  • Sanitize or remove the tags field from the page creation form to eliminate the vector for script injection.
  • Restrict page‑creation privilege to trusted users and review access controls regularly.
  • Disable or monitor the feature that permits automatic administrator creation to prevent unauthorized account escalation.
  • Inspect site logs for anomalous account activity and remove any unexpectedly created administrator accounts.

Generated by OpenCVE AI on April 7, 2026 at 12:20 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 20 Apr 2026 17:00:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:bludit:bludit:3.17.2:*:*:*:*:*:*:*
cpe:2.3:a:bludit:bludit:3.18.0:*:*:*:*:*:*:*
Metrics cvssV3_1

{'score': 5.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N'}

Wed, 08 Apr 2026 20:15:00 +0000

Type Values Removed Values Added
First Time appeared Bludit
Bludit bludit
Vendors & Products Bludit
Bludit bludit

Tue, 07 Apr 2026 18:00:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 07 Apr 2026 11:00:00 +0000

Type Values Removed Values Added
Description Bludit is vulnerable to Stored Cross-Site Scripting (XSS) in its page creating functionality. An authenticated attacker with page creation privileges (such as Author, Editor, or Administrator) can embed a malicious JavaScript payload in the tags field of a newly created article. This payload will be executed when a victim visits the URL of the uploaded resource. The uploaded resource itself is accessible without authentication. Critically, this vulnerability could be used to automatically create a new site administrator if the victim has enough privileges.  The vendor was notified early about this vulnerability, but didn't respond with the details of vulnerability or vulnerable version range. Only versions 3.17.2 and 3.18.0 were tested and confirmed as vulnerable, other versions were not tested and might also be vulnerable.
Title Stored XSS via Page Creating functionality in Bludit
Weaknesses CWE-79
References
Metrics cvssV4_0

{'score': 5.1, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:L/VA:N/SC:L/SI:L/SA:N'}

Subscriptions

Bludit Bludit
cve-icon MITRE

Status: PUBLISHED

Assigner: CERT-PL

Published:

Updated: 2026-04-07T16:28:47.502Z

Reserved: 2026-03-19T10:22:11.295Z

Link: CVE-2026-4420

cve-icon Vulnrichment

Updated: 2026-04-07T16:28:36.918Z

cve-icon NVD

Status : Analyzed

Published: 2026-04-07T11:16:07.810

Modified: 2026-04-20T16:51:25.020

Link: CVE-2026-4420

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-08T19:49:49Z

Weaknesses