Description
Bludit CMS prior to commit 6732dde contains a reflected cross-site scripting vulnerability in the search plugin that allows unauthenticated attackers to inject arbitrary JavaScript by crafting a malicious search query. Attackers can execute malicious scripts in the browsers of users who visit crafted URLs containing the payload, potentially stealing session cookies or performing actions on behalf of affected users.
References (4)
Core 4
Core References
Exploit technical-description
exploit
https://gist.github.com/thepiyushkumarshukla/36b213cdb3c7d603e23fd23605cd681e
Issue Tracking issue-tracking
https://github.com/bludit/bludit/pull/1691
Third Party Advisory third-party-advisory
https://www.vulncheck.com/advisories/bludit-cms-reflected-xss-via-search-plugin
Scores
CVSS v4
5.1
EPSS
0.0038
EPSS Percentile
29.5%
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
CISA SSVC
Vulnrichment
Exploitation
poc
Automatable
yes
Technical Impact
partial
Details
CWE
CWE-79
Status
published
Products (2)
bludit/bludit
< 3.20
bludit/bludit
6732ddedda8b73ce0a017a1b6adf685100244e01 (2 CPE variants)
Published
Apr 21, 2026
Tracked Since
Apr 22, 2026