Bludit EUVD-2026-19598

Q: What is the CVSS score of EUVD-2026-19598?

EUVD-2026-19598 has a CVSS 4.0 base score of 5.1 (Medium). CVSS vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:L/VA:N/SC:L/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X. EPSS exploitation probability: 0.1%.

| CVE-2026-4420 MEDIUM

Cross-site Scripting (XSS) (CWE-79)

2026-04-07 CERT-PL

GHSA-w5x8-257x-9rv5

XSS Bludit

5.1

CVSS 4.0 · NVD

Severity by source

NVD PRIMARY

5.1 MEDIUM

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:L/VA:N/SC:L/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:L/VA:N/SC:L/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Attack Vector

Network

Attack Complexity

Low

Privileges Required

Low

User Interaction

Scope

Lifecycle Timeline

EUVD ID Assigned

Apr 07, 2026 - 11:00 euvd

EUVD-2026-19598

Analysis Generated

Apr 07, 2026 - 11:00 vuln.today

CVE Published

Apr 07, 2026 - 10:46 nvd

MEDIUM 5.1

DescriptionCVE.org

Bludit is vulnerable to Stored Cross-Site Scripting (XSS) in its page creating functionality. An authenticated attacker with page creation privileges (such as Author, Editor, or Administrator) can embed a malicious JavaScript payload in the tags field of a newly created article. This payload will be executed when a victim visits the URL of the uploaded resource. The uploaded resource itself is accessible without authentication. Critically, this vulnerability could be used to automatically create a new site administrator if the victim has enough privileges.

The vendor was notified early about this vulnerability, but didn't respond with the details of vulnerability or vulnerable version range. Only versions 3.17.2 and 3.18.0 were tested and confirmed as vulnerable, other versions were not tested and might also be vulnerable.

AnalysisAI

Stored XSS in Bludit page creation functionality allows authenticated users with author privileges or higher to inject malicious JavaScript via the tags field, executing arbitrary code in victims' browsers when they access the affected page. Bludit versions 3.17.2 and 3.18.0 are confirmed vulnerable; the vendor did not respond with remediation details or clarify the full version range affected. …

Unlock full vulnerability intelligence

Risk assessment & exploitation conditions
Attack chain visualization
Remediation with exact patch versions
Threat intelligence from 22 sources
Personal watchlist & email alerts

Continue with Google Continue with GitHub

Free forever · No credit card required

Vulnerability AssessmentAI

Risk Assessment	CVSS score of 5.1 indicates moderate severity, corroborated by the vector details: network-accessible (AV:N), low complexity (AC:L), requires low privilege (PR:L) and user interaction (UI:P), and results in low integrity impact (VI:L) with scope change (SC:L). … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario	An authenticated user (Editor or Author) creates a new page and embeds JavaScript in the tags field, e.g., `<img src=x onerror="fetch('/admin/new-user?user=admin&pass=hacked')">`. When an administrative user visits this page to review content, the payload executes in their browser session, automatically creating a new admin account without their knowledge. …
Remediation	No vendor-released patch has been identified at time of analysis; the vendor did not respond with remediation details. … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

EUVD-2026-19598 vulnerability details – vuln.today

Back