CVE-2026-41456
Received Received - Intake
Reflected XSS in Bludit CMS Search Plugin Enables Session Hijacking

Publication date: 2026-04-21

Last updated on: 2026-04-21

Assigner: VulnCheck

Description
Bludit CMS prior to commit 6732dde contains a reflected cross-site scripting vulnerability in the search plugin that allows unauthenticated attackers to inject arbitrary JavaScript by crafting a malicious search query. Attackers can execute malicious scripts in the browsers of users who visit crafted URLs containing the payload, potentially stealing session cookies or performing actions on behalf of affected users.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-04-21
Last Modified
2026-04-21
Generated
2026-06-16
AI Q&A
2026-04-21
EPSS Evaluated
2026-06-15
NVD
CVE-2026-41456
EUVD
EUVD-2026-24239
Affected Vendors & Products
Showing 2 associated CPEs
Vendor Product Version / Range
bludit bludit to 3.20 (exc)
bludit cms to 6732dde (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-79 The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-41456 is a reflected cross-site scripting (XSS) vulnerability in the Bludit CMS search plugin. It allows unauthenticated attackers to inject arbitrary JavaScript by crafting malicious search queries. When users visit URLs containing these malicious payloads, the injected scripts execute in their browsers.

The root cause is that user input in the search box and pagination URLs were not properly sanitized or HTML-escaped before being reflected in the web page, leading to improper neutralization of input during web page generation (CWE-79).

This vulnerability was fixed by applying HTML escaping functions to all user-controllable strings used in HTML attributes and URLs, preventing execution of injected scripts.

Impact Analysis

If exploited, this vulnerability allows attackers to execute arbitrary JavaScript in the browsers of users who visit crafted URLs containing malicious search queries.

  • Attackers can steal session cookies, enabling session hijacking.
  • They can perform unauthorized actions on behalf of affected users.
  • It can lead to credential theft and exfiltration of CSRF tokens.
  • Attackers may manipulate the DOM or redirect users to phishing sites.
  • In privileged contexts like the admin panel, exploitation could result in full account takeover or compromise of CMS content.
Detection Guidance

This vulnerability can be detected by testing the search functionality of Bludit CMS for reflected cross-site scripting (XSS) issues. Specifically, an attacker or tester can craft malicious search queries containing JavaScript payloads and observe if the input is reflected unsanitized in the search results page, causing script execution.

One practical method to detect the vulnerability is to submit a search query with a known XSS payload such as: !"><img src=1 onerror=alert(1)>.gif and check if a JavaScript alert popup appears, indicating the presence of reflected XSS.

There are no specific network commands provided in the resources, but manual testing via the web interface or automated web vulnerability scanners that test for reflected XSS in search parameters can be used.

Mitigation Strategies

Immediate mitigation steps include applying the official fix which involves properly sanitizing and escaping user input in the search plugin and related pagination URLs before outputting them in HTML. This is done by using PHP's htmlspecialchars() function with ENT_QUOTES and UTF-8 encoding on all user-controllable strings.

Additionally, developers should ensure that any URLs or search terms are safely encoded, for example by using URL encoding functions like rawurlencode() or JavaScript's encodeURIComponent() where appropriate.

Administrators should update Bludit CMS to the version including commit 6732dde or later, where this vulnerability is fixed.

Other recommended mitigations include implementing strict Content Security Policies (CSP) to restrict execution of inline scripts and untrusted sources, validating and sanitizing all user inputs on the server side, and avoiding reflection of raw user input in responses.

Compliance Impact

The reflected cross-site scripting (XSS) vulnerability in Bludit CMS allows attackers to execute arbitrary JavaScript in users' browsers, potentially stealing session cookies and performing unauthorized actions. Such exploitation can lead to unauthorized access to user data and session hijacking.

This kind of vulnerability can impact compliance with common standards and regulations like GDPR and HIPAA because it risks unauthorized disclosure and manipulation of personal or sensitive data. For example, session hijacking or credential theft could lead to breaches of personal data confidentiality and integrity, which are core concerns of these regulations.

Therefore, failure to remediate this vulnerability could result in non-compliance with data protection requirements that mandate securing user data against unauthorized access and ensuring proper input validation and output encoding to prevent injection attacks.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-41456. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart