CVE-2026-4420
Stored XSS in Bludit Page Creation Enables Admin Takeover
Publication date: 2026-04-07
Last updated on: 2026-04-20
Assigner: CERT.PL
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| bludit | bludit | 3.17.2 |
| bludit | bludit | 3.18.0 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-79 | The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-4420 is a Stored Cross-Site Scripting (XSS) vulnerability in the Bludit content management system, specifically in its page creation functionality.
An authenticated attacker who has page creation privileges (such as Author, Editor, or Administrator) can inject malicious JavaScript code into the tags field of a newly created article.
This malicious code executes whenever any user visits the URL of the created resource, which is accessible without authentication.
Critically, if the victim has sufficient privileges, this vulnerability can be exploited to automatically create a new site administrator.
How can this vulnerability impact me? :
This vulnerability allows an attacker with page creation privileges to execute arbitrary JavaScript code in the context of users visiting the affected resource.
Because the malicious payload executes when the resource URL is accessed, it can lead to unauthorized actions such as the automatic creation of a new site administrator if the victim has enough privileges.
This can result in a full compromise of the Bludit site, allowing the attacker to gain control over site content and administrative functions.
What immediate steps should I take to mitigate this vulnerability?
The vulnerability affects Bludit versions 3.17.2 and 3.18.0 in the page creation functionality where an authenticated user with page creation privileges can inject malicious JavaScript code.
Immediate mitigation steps include restricting page creation privileges to trusted users only (such as Authors, Editors, or Administrators) to reduce the risk of malicious payload injection.
Additionally, monitor and review newly created pages, especially the tags field, for suspicious or unexpected JavaScript code.
Since the vendor has not provided patches or detailed version information, consider upgrading to a version later than 3.18.0 if available and confirmed safe, or apply custom input validation/sanitization on the tags field to prevent script injection.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The vulnerability allows an authenticated attacker with page creation privileges to inject malicious JavaScript code that can execute when a victim visits the affected resource. This can lead to unauthorized actions such as automatic creation of a new site administrator if the victim has sufficient privileges.
Such unauthorized privilege escalation and potential compromise of user accounts and site administration could lead to breaches of confidentiality, integrity, and availability of data.
Consequently, this vulnerability could negatively impact compliance with common standards and regulations like GDPR and HIPAA, which require protection of personal data and secure access controls to prevent unauthorized access and modifications.