CVE-2026-27741

MEDIUM EPSS 4.0%
Published Feb 23, 20264mo ago · Modified Jun 17, 20261w ago
5.1 CVSS 4.0
Medium
Find Similar
Published Feb 23, 2026 4mo ago
Last Modified Jun 17, 2026 1w ago

Description

Bludit version 3.16.1 contains a cross-site request forgery (CSRF) vulnerability in the /admin/uninstall-plugin/ and /admin/install-theme/ endpoints. The application does not implement anti-CSRF tokens or other request origin validation mechanisms for these administrative actions. An attacker can induce an authenticated administrator to visit a malicious page that silently submits crafted requests, resulting in unauthorized plugin uninstallation or theme installation. This may lead to loss of functionality, execution of untrusted code via malicious themes, and compromise of system integrity.

CVSS Details

Base Score
5.1
Exploitability
Impact
Vector string
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector Network
Attack Complexity Low
Privileges Required None
User Interaction A
Scope X

Threat Intelligence

EPSS Exploit Probability
4.0% percentile
Exploit & Patch Status
Public Exploit Known
No Patch Available

Weaknesses 1

CWE-352 Cross-Site Request Forgery (CSRF) Authentication

Affected Products 1

VendorProductVersionRange
bluditbludit3.16.1any

References 2

  • github.com https://github.com/bludit/bludit/issues/1577
    ExploitIssue Tracking
  • vulncheck.com https://www.vulncheck.com/advisories/bludit-csrf-in-plugin-and-theme-management-endpoints
    Third Party Advisory

Remediation

No remediation data recorded yet

Check vendor advisories and the NVD entry for patch availability.