CVE-2026-25100

Medium CVSS: 4.8

Bludit is vulnerable to Stored Cross-Site Scripting (XSS) in its image upload functionality. An authenticated attacker with content upload privileges (such as Author, Editor, or Administrator) can upload an SVG file containing a malicious payload, which is executed when a victim visits the URL of the uploaded resource. The uploaded resource itself is accessible without authentication.

The vendor was notified early about this vulnerability, but stopped responding in the middle of coordination. All versions up to 3.18.2 are considered to be vulnerable, future versions might also be vulnerable.

Vendor

Bludit

Product

Bludit

CWE

CWE-79

Yayın Tarihi

2026-03-27 12:16:20

Güncelleme

2026-04-01 13:56:52

Source Identifier

cvd@cert.pl

KEV Date Added

Kategoriler

CWE-79 Bludit MEDIUM Bludit 2026

Referanslar

https://cert.pl/posts/2026/03/CVE-2026-25099 https://github.com/bludit/bludit/releases/tag/3.18.2

Benzer Kayıtlar

Medium

CVE-2026-25101

Bludit allows user's session identifier to be set before authentication. The value of this session ID stays the same aft…

High

CVE-2026-25099

Bludit’s API plugin allows an authenticated attacker with a valid API token to upload files of any type and extension wi…

Medium

CVE-2026-27741

Bludit version 3.16.1 contains a cross-site request forgery (CSRF) vulnerability in the /admin/uninstall-plugin/ and /ad…

Medium

CVE-2026-27742

Bludit version 3.16.2 contains a stored cross-site scripting (XSS) vulnerability in the post content functionality. The…

High

CVE-2023-53907

Bludit versions before 3.13.1 contain an authenticated file download vulnerability in the Backup Plugin that allows logg…