Bludit is vulnerable to Stored Cross-Site Scripting (XSS) in its image upload functionality. An authenticated attacker with content upload privileges (such as Author, Editor, or Administrator) can upload an SVG file containing a malicious payload, which is executed when a victim visits the URL of the uploaded resource. The uploaded resource itself is accessible without authentication.
The vendor was notified early about this vulnerability, but stopped responding in the middle of coordination. All versions up to 3.18.2 are considered to be vulnerable, future versions might also be vulnerable.
CVSS Score
5.4
EPSS Score
0.0
Published
2026-03-27
Bludit allows user's session identifier to be set before authentication. The value of this session ID stays the same after authentication. This behavior enables an attacker to fix a session ID
for a victim and later hijack the authenticated session.
This issue was fixed in version 3.17.2.
CVSS Score
9.8
EPSS Score
0.001
Published
2026-03-27
Bludit’s API plugin allows an authenticated attacker with a valid API token to upload files of any type and extension without restriction, which can then be executed, leading to Remote Code Execution.
This issue was fixed in 3.18.4.
CVSS Score
8.8
EPSS Score
0.003
Published
2026-03-27
Bludit version 3.16.2 contains a stored cross-site scripting (XSS) vulnerability in the post content functionality. The application performs client-side sanitation of content input but does not enforce equivalent sanitation on the server side. An authenticated user can inject arbitrary JavaScript into the content field of a post, which is stored and later rendered to other users without proper output encoding. When viewed, the injected script executes in the context of the victim’s browser, allowing session hijacking, credential theft, content manipulation, or other actions within the user’s privileges.
CVSS Score
5.4
EPSS Score
0.0
Published
2026-02-23
Bludit versions before 3.13.1 contain an authenticated file download vulnerability in the Backup Plugin that allows logged-in users to access arbitrary files. Attackers can exploit the plugin's download functionality by manipulating file path parameters to read sensitive system files through directory traversal.
CVSS Score
6.5
EPSS Score
0.004
Published
2025-12-17
A security vulnerability has been identified in Bludit, allowing authenticated attackers to execute arbitrary code through the Image API. This vulnerability arises from improper handling of file uploads, enabling malicious actors to upload and execute PHP files.
CVSS Score
8.8
EPSS Score
0.002
Published
2024-06-24
A Stored Cross Site Scripting (XSS) vulnerability exists in bludit 3.13.1 via the TAGS section in login panel.
CVSS Score
5.4
EPSS Score
0.03
Published
2022-01-06
A Stored Cross Site Scripting (XSS) vulnerability exists in Bludit 3.13.1 via the About Plugin in login panel.
CVSS Score
5.4
EPSS Score
0.027
Published
2022-01-06
ajax/profile-picture-upload.php in Bludit 3.10.0 allows authenticated users to change other users' profile pictures.
CVSS Score
4.3
EPSS Score
0.004
Published
2020-02-07
Bludit 3.10.0 allows Editor or Author roles to insert malicious JavaScript on the WYSIWYG editor. NOTE: the vendor's perspective is that this is "not a bug.
CVSS Score
5.4
EPSS Score
0.003
Published
2020-02-07
Page 1