CVE-2026-25100

Bludit is vulnerable to Stored Cross-Site Scripting (XSS) in its image upload functionality. An authenticated attacker with content upload privileges (such as Author, Editor, or Administrator) can upload an SVG file containing a malicious payload, which is executed when a victim visits the URL of the uploaded resource. The uploaded resource itself is accessible without authentication. The vendor was notified early about this vulnerability, but stopped responding in the middle of coordination. All versions up to 3.18.2 are considered to be vulnerable, future versions might also be vulnerable.

CVSS v3 5.4 MEDIUM

5.4^/10

CVSS v3 : MEDIUM

Vector :

Exploitability : 2.3 / Impact : 2.7

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required LOW

User Interaction REQUIRED

Confidentiality Impact LOW

Integrity Impact LOW

Availability Impact NONE

Scope CHANGED

References

Link	Resource
https://cert.pl/posts/2026/03/CVE-2026-25099	Third Party Advisory
https://github.com/bludit/bludit/releases/tag/3.18.2	Release Notes

Configurations

Configuration 1 (hide)

cpe:2.3:a:bludit:bludit:*:*:*:*:*:*:*:*

History

01 Apr 2026, 13:56

Type	Values Removed	Values Added
References	~~() https://cert.pl/posts/2026/03/CVE-2026-25099 -~~	() https://cert.pl/posts/2026/03/CVE-2026-25099 - Third Party Advisory
References	~~() https://github.com/bludit/bludit/releases/tag/3.18.2 -~~	() https://github.com/bludit/bludit/releases/tag/3.18.2 - Release Notes
First Time		Bludit Bludit bludit
CVSS	v2 : ~~unknown~~ v3 : ~~unknown~~	v2 : unknown v3 : 5.4
CPE		cpe:2.3:a:bludit:bludit::::::::

27 Mar 2026, 12:16

Type	Values Removed	Values Added
New CVE

Information

Published : 2026-03-27 12:16

Updated : 2026-04-01 13:56

NVD link : CVE-2026-25100

Mitre link : CVE-2026-25100

CVE.ORG link : CVE-2026-25100

JSON object : View

Products Affected

bludit

bludit

CWE

CWE-79

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

{"id": "CVE-2026-25100", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "CHANGED", "version": "3.1", "baseScore": 5.4, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "LOW"}, "impactScore": 2.7, "exploitabilityScore": 2.3}], "cvssMetricV40": [{"type": "Secondary", "source": "cvd@cert.pl", "cvssData": {"Safety": "NOT_DEFINED", "version": "4.0", "Recovery": "NOT_DEFINED", "baseScore": 4.8, "Automatable": "NOT_DEFINED", "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "exploitMaturity": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED", "userInteraction": "ACTIVE", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "LOW", "subIntegrityImpact": "LOW", "vulnIntegrityImpact": "NONE", "integrityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "availabilityRequirement": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "subConfidentialityImpact": "LOW", "vulnConfidentialityImpact": "NONE", "confidentialityRequirement": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED"}}]}, "published": "2026-03-27T12:16:20.030", "references": [{"url": "https://cert.pl/posts/2026/03/CVE-2026-25099", "tags": ["Third Party Advisory"], "source": "cvd@cert.pl"}, {"url": "https://github.com/bludit/bludit/releases/tag/3.18.2", "tags": ["Release Notes"], "source": "cvd@cert.pl"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "cvd@cert.pl", "description": [{"lang": "en", "value": "CWE-79"}]}], "descriptions": [{"lang": "en", "value": "Bludit is vulnerable to Stored Cross-Site Scripting (XSS) in its image upload functionality. An authenticated attacker with content upload privileges (such as Author, Editor, or Administrator) can upload an SVG file containing a malicious payload, which is executed when a victim visits the URL of the uploaded resource. The uploaded resource itself is accessible without authentication.\n\nThe vendor was notified early about this vulnerability, but stopped responding in the middle of coordination. All versions up to 3.18.2 are considered to be vulnerable, future versions might also be vulnerable."}], "lastModified": "2026-04-01T13:56:52.570", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:bludit:bludit:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "E716554F-498B-4263-B510-4D7E6BB44B21", "versionEndExcluding": "3.18.2"}], "operator": "OR"}]}], "sourceIdentifier": "cvd@cert.pl"}