VYPR
Vendor

Bludit

Products
2
CVEs
47
Across products
47
Status
Private

Products

2

Recent CVEs

47
View all 47 CVEs →
  • CVE-2026-50869CriJun 15, 2026
    risk 0.64cvss 9.8epss 0.01

    An issue in the api/plugin.php component of Bludit v3.19.0 allows attackers to execute a directory traversal via supplying a crafted request.

  • CVE-2026-38329CriJun 15, 2026
    risk 0.57cvss 9.8epss 0.01

    Bludit CMS before version 3.18.4 allows Remote Code Execution (RCE) via the API Plugin. The POST /api/files/{key} endpoint in bl-plugins/api/plugin.php fails to perform authorization checks and lacks file extension validation. An attacker with a valid API token can upload a…

  • CVE-2026-25101CriMar 27, 2026
    risk 0.57cvss 9.8epss 0.00

    Bludit allows user's session identifier to be set before authentication. The value of this session ID stays the same after authentication. This behavior enables an attacker to fix a session ID for a victim and later hijack the authenticated session. This issue was fixed in…

  • CVE-2026-25099HigMar 27, 2026
    risk 0.53cvss 8.8epss 0.02

    Bludit’s API plugin allows an authenticated attacker with a valid API token to upload files of any type and extension without restriction, which can then be executed, leading to Remote Code Execution. This issue was fixed in 3.18.4.

  • CVE-2026-46656HigJun 8, 2026
    risk 0.50cvss 8.8epss 0.00

    Bludit is a content management system. Versions prior to 3.22.0 have a Broken Access Control flaw where active sessions remain valid even after the corresponding user account has been physically deleted from the database. This "Ghost Session" allows revoked users to maintain…

  • CVE-2018-16313MedSep 1, 2018
    risk 0.40cvss 6.1epss 0.01

    Bludit 2.3.4 allows XSS via a user name.

  • CVE-2026-46657HigJun 8, 2026
    risk 0.39cvss 7.1epss 0.00

    Bludit is a content management system. Versions prior to 3.22.0 have a vulnerability in the user management logic that allows deactivated accounts to maintain access via persistent authentication tokens. When an administrator disables a user account, the application fails to…

  • CVE-2026-4420MedApr 7, 2026
    risk 0.35cvss 5.4epss 0.00

    Bludit is vulnerable to Stored Cross-Site Scripting (XSS) in its page creating functionality. An authenticated attacker with page creation privileges (such as Author, Editor, or Administrator) can embed a malicious JavaScript payload in the tags field of a newly created…

  • CVE-2017-16636MedNov 6, 2017
    risk 0.35cvss 5.4epss 0.01

    In Bludit v1.5.2 and v2.0.1, an XSS vulnerability is located in the new page, new category, and edit post function body message context. Remote attackers are able to bypass the basic editor validation to trigger cross site scripting. The XSS is persistent and the request method…

  • CVE-2026-25100MedMar 27, 2026
    risk 0.28cvss 5.4epss 0.00

    Bludit is vulnerable to Stored Cross-Site Scripting (XSS) in its image upload functionality. An authenticated attacker with content upload privileges (such as Author, Editor, or Administrator) can upload an SVG file containing a malicious payload, which is executed when a victim…

  • CVE-2026-41456MedApr 21, 2026
    risk 0.26cvss epss 0.00

    Bludit CMS prior to commit 6732dde contains a reflected cross-site scripting vulnerability in the search plugin that allows unauthenticated attackers to inject arbitrary JavaScript by crafting a malicious search query. Attackers can execute malicious scripts in the browsers of…

  • CVE-2019-16113Sep 8, 2019
    risk 0.10cvss epss 0.78

    Bludit 3.9.2 allows remote code execution via bl-kernel/ajax/upload-images.php because PHP code can be entered with a .jpg file name, and then this PHP code can write other PHP code to a ../ pathname.

  • CVE-2019-17240Oct 6, 2019
    risk 0.06cvss epss 0.40

    bl-kernel/security.class.php in Bludit 3.9.2 allows attackers to bypass a brute-force protection mechanism by using many different forged X-Forwarded-For or Client-IP HTTP headers.

  • CVE-2018-1000811Dec 20, 2018
    risk 0.04cvss epss 0.48

    bludit version 3.0.0 contains a Unrestricted Upload of File with Dangerous Type vulnerability in Content Upload in Pages Editor that can result in Remote Command Execution. This attack appear to be exploitable via malicious user have to upload a crafted payload containing PHP…

  • CVE-2023-31698May 17, 2023
    risk 0.03cvss epss 0.03

    Bludit v3.14.1 is vulnerable to Stored Cross Site Scripting (XSS) via SVG file on site logo. NOTE: the product's security model is that users are trusted by the administrator to insert arbitrary content (users cannot create their own accounts through self-registration).

  • CVE-2021-35323Oct 19, 2021
    risk 0.03cvss epss 0.06

    Cross Site Scripting (XSS) vulnerability exists in bludit 3-13-1 via the username in admin/login.

  • CVE-2020-18879Aug 20, 2021
    risk 0.01cvss epss 0.03

    Unrestricted File Upload in Bludit v3.8.1 allows remote attackers to execute arbitrary code by uploading malicious files via the component 'bl-kereln/ajax/upload-logo.php'.

  • CVE-2026-27741Feb 23, 2026
    risk 0.00cvss epss 0.00

    Bludit version 3.16.1 contains a cross-site request forgery (CSRF) vulnerability in the /admin/uninstall-plugin/ and /admin/install-theme/ endpoints. The application does not implement anti-CSRF tokens or other request origin validation mechanisms for these administrative…

  • CVE-2026-27742Feb 23, 2026
    risk 0.00cvss epss 0.00

    Bludit version 3.16.2 contains a stored cross-site scripting (XSS) vulnerability in the post content functionality. The application performs client-side sanitation of content input but does not enforce equivalent sanitation on the server side. An authenticated user can inject…

  • CVE-2023-53907Dec 17, 2025
    risk 0.00cvss epss 0.01

    Bludit versions before 3.13.1 contain an authenticated file download vulnerability in the Backup Plugin that allows logged-in users to access arbitrary files. Attackers can exploit the plugin's download functionality by manipulating file path parameters to read sensitive system…