Skip to main content

Blueprintue Self Hosted Edition

2 CVEs product

Monthly

CVE-2026-40588 HIGH PATCH This Week

Account takeover in blueprintUE Self-Hosted Edition <4.2.0 allows authenticated attackers to permanently hijack any account by changing its password without current password verification. Attackers who obtain session access through XSS, session hijacking, physical access, or stolen cookies can immediately lock out legitimate users. The vulnerability requires low-privileged authentication (PR:L) but has high confidentiality and integrity impact, enabling full account control and data access. Fixed in version 4.2.0.

XSS Blueprintue Self Hosted Edition
NVD GitHub
CVSS 3.1
8.1
EPSS
0.0%
CVE-2026-40587 MEDIUM PATCH This Month

blueprintUE prior to version 4.2.0 fails to invalidate active user sessions when passwords are changed or reset, allowing attackers with compromised sessions to maintain indefinite account access even after the legitimate user detects the breach and changes their password. The attacker retains full account privileges until the session naturally expires (default 24 hours) or is manually cleared, creating a critical window where password changes provide no security benefit.

Information Disclosure Blueprintue Self Hosted Edition
NVD GitHub
CVSS 3.1
6.5
EPSS
0.0%
EPSS 0% CVSS 8.1
HIGH PATCH This Week

Account takeover in blueprintUE Self-Hosted Edition <4.2.0 allows authenticated attackers to permanently hijack any account by changing its password without current password verification. Attackers who obtain session access through XSS, session hijacking, physical access, or stolen cookies can immediately lock out legitimate users. The vulnerability requires low-privileged authentication (PR:L) but has high confidentiality and integrity impact, enabling full account control and data access. Fixed in version 4.2.0.

XSS Blueprintue Self Hosted Edition
NVD GitHub
EPSS 0% CVSS 6.5
MEDIUM PATCH This Month

blueprintUE prior to version 4.2.0 fails to invalidate active user sessions when passwords are changed or reset, allowing attackers with compromised sessions to maintain indefinite account access even after the legitimate user detects the breach and changes their password. The attacker retains full account privileges until the session naturally expires (default 24 hours) or is manually cleared, creating a critical window where password changes provide no security benefit.

Information Disclosure Blueprintue Self Hosted Edition
NVD GitHub

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy