Bludit CMS Stored XSS in Post Content (CVE-2026-27742)

Author: Beatriz Fresno Naumova, Catalin Iovita

Date: 23/02/2026

Vendor: Bludit

Product: Bludit CMS

Versions affected: ≤ 3.16.2

Component: Post content functionality

CWE: CWE-79 – Improper Neutralization of Input During Web Page Generation (XSS)

Attack type: Remote

Impact: Stored Cross-Site Scripting (XSS)

Description

Bludit CMS versions up to and including 3.16.2 are affected by a stored Cross-Site Scripting (XSS) vulnerability in the post content functionality.

The application performs input sanitization on the client side but does not enforce equivalent validation or context-aware output encoding on the server side. As a result, an authenticated user can inject arbitrary JavaScript into the content fieldwhen creating or editing a post.

The malicious payload is stored persistently and later rendered to other users without proper output encoding. When the affected post is viewed, the injected script executes in the victim’s browser context.

This allows arbitrary JavaScript execution within the privilege scope of the affected user.

Impact

Primary impact

Execution of arbitrary JavaScript in the victim’s browser session.

Possible consequences

Session hijacking
Credential theft
Content manipulation
Privilege abuse within the application
Unauthorized actions performed on behalf of the victim
Potential compromise of application integrity

CVSS Details

CVSS v4.0 Vector:

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N

Base Score: 5.1 (Medium)

CVSS v3.1 Vector:

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

Base Score: 5.4 (Medium)

Solution

No official fix was available at the time of disclosure.

Recommendation

Implement server-side sanitization of user-supplied content
Apply strict context-aware output encoding when rendering post content
Do not rely solely on client-side validation
Perform security testing on content rendering components

Mitigation

Encode all user-controlled input before rendering it in HTML contexts
Implement Content Security Policy (CSP) headers
Restrict dangerous HTML tags and JavaScript execution within content fields
Conduct regular security reviews of content creation and rendering workflows

Discoverers

Beatriz Fresno Naumova
Catalin Iovita (@catalin-iovita)

References

CVE Record: https://www.cve.org/CVERecord?id=CVE-2026-27742
VulnCheck Advisory: https://www.vulncheck.com/advisories/bludit-stored-xss-in-post-content
Vendor Website: https://www.bludit.com/

PreviousBludit CMS CSRF in Plugin and Theme Management Endpoints (CVE-2026-27741)NextGetSimpleCMS-CE Stored XSS via components.php (CVE-2026-26351)

Last updated 16 hours ago

hashtagDescription

hashtagImpact

hashtagPrimary impact

hashtagPossible consequences

hashtagCVSS Details

hashtagSolution

hashtagRecommendation

hashtagMitigation

hashtagDiscoverers

hashtagReferences