CVE-2026-27742

MEDIUM EPSS 3.6%

Published Feb 23, 20264mo ago · Modified Feb 26, 20264mo ago

5.1 CVSS 4.0

Medium

Published Feb 23, 2026 4mo ago

Last Modified Feb 26, 2026 4mo ago

Description

Bludit version 3.16.2 contains a stored cross-site scripting (XSS) vulnerability in the post content functionality. The application performs client-side sanitation of content input but does not enforce equivalent sanitation on the server side. An authenticated user can inject arbitrary JavaScript into the content field of a post, which is stored and later rendered to other users without proper output encoding. When viewed, the injected script executes in the context of the victim’s browser, allowing session hijacking, credential theft, content manipulation, or other actions within the user’s privileges.

CVSS Details

Base Score

5.1

Exploitability

—

Impact

—

Vector string

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Attack Vector Network

Attack Complexity Low

Privileges Required Low

User Interaction P

Scope X

Threat Intelligence

EPSS Exploit Probability

3.6% percentile

Exploit & Patch Status

Public Exploit Known

No Patch Available

Weaknesses 1

CWE-79 Cross-site Scripting Injection

Affected Products 1

Vendor	Product	Version	Range
bludit	bludit	*	<3.16.2

References 2

github.com https://github.com/bludit/bludit/issues/1579

ExploitIssue Tracking
vulncheck.com https://www.vulncheck.com/advisories/bludit-stored-xss-in-post-content

Third Party Advisory

Remediation

No remediation data recorded yet

Check vendor advisories and the NVD entry for patch availability.