VYPR
Unrated severityNVD Advisory· Published Feb 23, 2026· Updated Mar 5, 2026

Bludit <= 3.16.1 CSRF in Plugin and Theme Management Endpoints

CVE-2026-27741

Description

Bludit version 3.16.1 contains a cross-site request forgery (CSRF) vulnerability in the /admin/uninstall-plugin/ and /admin/install-theme/ endpoints. The application does not implement anti-CSRF tokens or other request origin validation mechanisms for these administrative actions. An attacker can induce an authenticated administrator to visit a malicious page that silently submits crafted requests, resulting in unauthorized plugin uninstallation or theme installation. This may lead to loss of functionality, execution of untrusted code via malicious themes, and compromise of system integrity.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Affected products

2
  • Bludit/Bluditllm-fuzzy2 versions
    <=3.16.1+ 1 more
    • (no CPE)range: <=3.16.1
    • (no CPE)range: 0

Patches

Vulnerability mechanics

References

2

News mentions

0

No linked articles in our index yet.