Bludit version 3.16.2 contains a stored cross-site scripting (XSS) vulnerability in the post content functionality. The application performs client-side sanitation of content input but does not enforce equivalent sanitation on the server side. An authenticated user can inject arbitrary JavaScript into the content field of a post, which is stored and later rendered to other users without proper output encoding. When viewed, the injected script executes in the context of the victim’s browser, allowing session hijacking, credential theft, content manipulation, or other actions within the user’s privileges.
CVSS Score
5.4
EPSS Score
0.0
Published
2026-02-23
Bludit versions before 3.13.1 contain an authenticated file download vulnerability in the Backup Plugin that allows logged-in users to access arbitrary files. Attackers can exploit the plugin's download functionality by manipulating file path parameters to read sensitive system files through directory traversal.
CVSS Score
6.5
EPSS Score
0.004
Published
2025-12-17
A security vulnerability has been identified in Bludit, allowing authenticated attackers to execute arbitrary code through the Image API. This vulnerability arises from improper handling of file uploads, enabling malicious actors to upload and execute PHP files.
CVSS Score
8.8
EPSS Score
0.002
Published
2024-06-24
A Stored Cross Site Scripting (XSS) vulnerability exists in bludit 3.13.1 via the TAGS section in login panel.
CVSS Score
5.4
EPSS Score
0.03
Published
2022-01-06
A Stored Cross Site Scripting (XSS) vulnerability exists in Bludit 3.13.1 via the About Plugin in login panel.
CVSS Score
5.4
EPSS Score
0.027
Published
2022-01-06
A file upload vulnerability was discovered in the file path /bl-plugins/backup/plugin.php on Bludit version 3.12.0. If an attacker is able to gain Administrator rights they will be able to use unsafe plugins to upload a backup file and control the server.
CVSS Score
7.2
EPSS Score
0.004
Published
2021-05-21
Bludit 3.12.0 allows admins to use a /plugin-backup-download?file=../ directory traversal approach for arbitrary file download via backup/plugin.php.
CVSS Score
4.9
EPSS Score
0.005
Published
2020-06-24
Bludit 3.12.0 allows stored XSS via JavaScript code in an SVG document to bl-kernel/ajax/logo-upload.php.
CVSS Score
5.4
EPSS Score
0.002
Published
2020-06-24
showAlert() in the administration panel in Bludit 3.12.0 allows XSS.
CVSS Score
5.4
EPSS Score
0.017
Published
2020-06-06