Security Vulnerabilities
Bludit is vulnerable to Stored Cross-Site Scripting (XSS) in its image upload functionality. An authenticated attacker with content upload privileges (such as Author, Editor, or Administrator) can upload an SVG file containing a malicious payload, which is executed when a victim visits the URL of the uploaded resource. The uploaded resource itself is accessible without authentication.
The vendor was notified early about this vulnerability, but stopped responding in the middle of coordination. All versions up to 3.18.2 are considered to be vulnerable, future versions might also be vulnerable.
CVSS Score
4.8
EPSS Score
0.0
Published
2026-03-27
Bludit allows user's session identifier to be set before authentication. The value of this session ID stays the same after authentication. This behavior enables an attacker to fix a session ID
for a victim and later hijack the authenticated session.
This issue was fixed in version 3.17.2.
CVSS Score
4.8
EPSS Score
0.001
Published
2026-03-27
Bludit’s API plugin allows an authenticated attacker with a valid API token to upload files of any type and extension without restriction, which can then be executed, leading to Remote Code Execution.
This issue was fixed in 3.18.4.
CVSS Score
8.7
EPSS Score
0.003
Published
2026-03-27
In OCaml through 4.14.3, Bigarray.reshape allows an integer overflow, and resultant reading of arbitrary memory, when untrusted data is processed.
CVSS Score
5.9
EPSS Score
0.0
Published
2026-03-27
OS Command Injection vulnerability exists in BUFFALO Wi-Fi router products. If this vulnerability is exploited, an arbitrary OS command may be executed on the products.
CVSS Score
8.6
EPSS Score
0.001
Published
2026-03-27
OS Command Injection vulnerability exists in BUFFALO Wi-Fi router products. If this vulnerability is exploited, an arbitrary OS command may be executed on the products.
CVSS Score
8.6
EPSS Score
0.001
Published
2026-03-27
Code injection vulnerability exists in BUFFALO Wi-Fi router products. If this vulnerability is exploited, an arbitrary code may be executed on the products.
CVSS Score
8.7
EPSS Score
0.0
Published
2026-03-27
Code injection vulnerability exists in BUFFALO Wi-Fi router products. If this vulnerability is exploited, an arbitrary code may be executed on the products.
CVSS Score
8.7
EPSS Score
0.0
Published
2026-03-27
Authentication bypass issue exists in BUFFALO Wi-Fi router products, which may allow an attacker to alter critical configuration settings without authentication.
CVSS Score
8.7
EPSS Score
0.001
Published
2026-03-27
Authentication bypass issue exists in BUFFALO Wi-Fi router products, which may allow an attacker to alter critical configuration settings without authentication.
CVSS Score
8.7
EPSS Score
0.001
Published
2026-03-27