CVE-2026-25101

Medium CVSS: 4.8

Bludit allows user's session identifier to be set before authentication. The value of this session ID stays the same after authentication. This behavior enables an attacker to fix a session ID
for a victim and later hijack the authenticated session.

This issue was fixed in version 3.17.2.

Vendor

Bludit

Product

Bludit

CWE

CWE-384

Yayın Tarihi

2026-03-27 12:16:20

Güncelleme

2026-04-02 20:53:39

Source Identifier

cvd@cert.pl

KEV Date Added

Kategoriler

CWE-384 Bludit MEDIUM Bludit 2026

Referanslar

https://cert.pl/posts/2026/03/CVE-2026-25099 https://github.com/bludit/bludit/releases/tag/3.17.2

Benzer Kayıtlar

Medium

CVE-2026-25100

Bludit is vulnerable to Stored Cross-Site Scripting (XSS) in its image upload functionality. An authenticated attacker w…

High

CVE-2026-25099

Bludit’s API plugin allows an authenticated attacker with a valid API token to upload files of any type and extension wi…

Medium

CVE-2026-27741

Bludit version 3.16.1 contains a cross-site request forgery (CSRF) vulnerability in the /admin/uninstall-plugin/ and /ad…

Medium

CVE-2026-27742

Bludit version 3.16.2 contains a stored cross-site scripting (XSS) vulnerability in the post content functionality. The…

High

CVE-2023-53907

Bludit versions before 3.13.1 contain an authenticated file download vulnerability in the Backup Plugin that allows logg…