{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-4420", "assignerOrgId": "4bb8329e-dd38-46c1-aafb-9bf32bcb93c6", "state": "PUBLISHED", "assignerShortName": "CERT-PL", "dateReserved": "2026-03-19T10:22:11.295Z", "datePublished": "2026-04-07T10:46:19.052Z", "dateUpdated": "2026-04-07T16:28:47.502Z"}, "containers": {"cna": {"affected": [{"collectionURL": "https://github.com", "defaultStatus": "unknown", "packageName": "bludit", "product": "Bludit", "repo": "https://github.com/bludit/bludit", "vendor": "Bludit", "versions": [{"status": "affected", "version": "3.17.2", "versionType": "semver"}, {"status": "affected", "version": "3.18.0", "versionType": "semver"}]}], "credits": [{"lang": "en", "type": "finder", "value": "Yassin Abdelrazek"}], "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Bludit is vulnerable to Stored Cross-Site Scripting (XSS) in its page creating functionality. An authenticated attacker with page creation privileges (such as Author, Editor, or Administrator) can embed a malicious JavaScript payload in the tags&nbsp;field of a newly created article. This payload will be executed when a victim visits the URL of the uploaded resource. The uploaded resource itself is accessible without authentication. Critically, this vulnerability could be used to automatically create a new site administrator if the victim has enough privileges.&nbsp;<br><br>The vendor was notified early about this vulnerability, but didn't respond with the details of vulnerability or vulnerable version range. Only versions 3.17.2 and&nbsp;3.18.0 were tested and confirmed as vulnerable, other versions were not tested and might also be vulnerable.<br>"}], "value": "Bludit is vulnerable to Stored Cross-Site Scripting (XSS) in its page creating functionality. An authenticated attacker with page creation privileges (such as Author, Editor, or Administrator) can embed a malicious JavaScript payload in the tags\u00a0field of a newly created article. This payload will be executed when a victim visits the URL of the uploaded resource. The uploaded resource itself is accessible without authentication. Critically, this vulnerability could be used to automatically create a new site administrator if the victim has enough privileges.\u00a0\n\nThe vendor was notified early about this vulnerability, but didn't respond with the details of vulnerability or vulnerable version range. Only versions 3.17.2 and\u00a03.18.0 were tested and confirmed as vulnerable, other versions were not tested and might also be vulnerable."}], "impacts": [{"capecId": "CAPEC-592", "descriptions": [{"lang": "en", "value": "CAPEC-592 Stored XSS"}]}], "metrics": [{"cvssV4_0": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "NETWORK", "baseScore": 5.1, "baseSeverity": "MEDIUM", "privilegesRequired": "LOW", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "LOW", "subIntegrityImpact": "LOW", "userInteraction": "PASSIVE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:L/VA:N/SC:L/SI:L/SA:N", "version": "4.0", "vulnAvailabilityImpact": "NONE", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "LOW", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-79", "description": "CWE-79 Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting')", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "4bb8329e-dd38-46c1-aafb-9bf32bcb93c6", "shortName": "CERT-PL", "dateUpdated": "2026-04-07T10:46:19.052Z"}, "references": [{"tags": ["third-party-advisory"], "url": "https://cert.pl/en/posts/2026/04/CVE-2026-4420"}, {"tags": ["product"], "url": "https://github.com/bludit/bludit/"}], "source": {"discovery": "EXTERNAL"}, "title": "Stored XSS via Page Creating functionality in Bludit", "x_generator": {"engine": "Vulnogram 0.2.0"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-04-07T16:28:33.523234Z", "id": "CVE-2026-4420", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-07T16:28:47.502Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-4420", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-04-07T16:28:33.523234Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-07T16:28:36.918Z"}}], "cna": {"title": "Stored XSS via Page Creating functionality in Bludit", "source": {"discovery": "EXTERNAL"}, "credits": [{"lang": "en", "type": "finder", "value": "Yassin Abdelrazek"}], "impacts": [{"capecId": "CAPEC-592", "descriptions": [{"lang": "en", "value": "CAPEC-592 Stored XSS"}]}], "metrics": [{"format": "CVSS", "cvssV4_0": {"Safety": "NOT_DEFINED", "version": "4.0", "Recovery": "NOT_DEFINED", "baseScore": 5.1, "Automatable": "NOT_DEFINED", "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:L/VA:N/SC:L/SI:L/SA:N", "providerUrgency": "NOT_DEFINED", "userInteraction": "PASSIVE", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "LOW", "subIntegrityImpact": "LOW", "vulnIntegrityImpact": "LOW", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "LOW", "vulnConfidentialityImpact": "NONE", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"repo": "https://github.com/bludit/bludit", "vendor": "Bludit", "product": "Bludit", "versions": [{"status": "affected", "version": "3.17.2", "versionType": "semver"}, {"status": "affected", "version": "3.18.0", "versionType": "semver"}], "packageName": "bludit", "collectionURL": "https://github.com", "defaultStatus": "unknown"}], "references": [{"url": "https://cert.pl/en/posts/2026/04/CVE-2026-4420", "tags": ["third-party-advisory"]}, {"url": "https://github.com/bludit/bludit/", "tags": ["product"]}], "x_generator": {"engine": "Vulnogram 0.2.0"}, "descriptions": [{"lang": "en", "value": "Bludit is vulnerable to Stored Cross-Site Scripting (XSS) in its page creating functionality. An authenticated attacker with page creation privileges (such as Author, Editor, or Administrator) can embed a malicious JavaScript payload in the tags\u00a0field of a newly created article. This payload will be executed when a victim visits the URL of the uploaded resource. The uploaded resource itself is accessible without authentication. Critically, this vulnerability could be used to automatically create a new site administrator if the victim has enough privileges.\u00a0\n\nThe vendor was notified early about this vulnerability, but didn't respond with the details of vulnerability or vulnerable version range. Only versions 3.17.2 and\u00a03.18.0 were tested and confirmed as vulnerable, other versions were not tested and might also be vulnerable.", "supportingMedia": [{"type": "text/html", "value": "Bludit is vulnerable to Stored Cross-Site Scripting (XSS) in its page creating functionality. An authenticated attacker with page creation privileges (such as Author, Editor, or Administrator) can embed a malicious JavaScript payload in the tags&nbsp;field of a newly created article. This payload will be executed when a victim visits the URL of the uploaded resource. The uploaded resource itself is accessible without authentication. Critically, this vulnerability could be used to automatically create a new site administrator if the victim has enough privileges.&nbsp;<br><br>The vendor was notified early about this vulnerability, but didn't respond with the details of vulnerability or vulnerable version range. Only versions 3.17.2 and&nbsp;3.18.0 were tested and confirmed as vulnerable, other versions were not tested and might also be vulnerable.<br>", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-79", "description": "CWE-79 Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting')"}]}], "providerMetadata": {"orgId": "4bb8329e-dd38-46c1-aafb-9bf32bcb93c6", "shortName": "CERT-PL", "dateUpdated": "2026-04-07T10:46:19.052Z"}}}, "cveMetadata": {"cveId": "CVE-2026-4420", "state": "PUBLISHED", "dateUpdated": "2026-04-07T16:28:47.502Z", "dateReserved": "2026-03-19T10:22:11.295Z", "assignerOrgId": "4bb8329e-dd38-46c1-aafb-9bf32bcb93c6", "datePublished": "2026-04-07T10:46:19.052Z", "assignerShortName": "CERT-PL"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Bludit is vulnerable to Stored Cross-Site Scripting (XSS) in its page creating functionality. An authenticated attacker with page creation privileges (such as Author, Editor, or Administrator) can embed a malicious JavaScript payload in the tags\u00a0field of a newly created article. This payload will be executed when a victim visits the URL of the uploaded resource. The uploaded resource itself is accessible without authentication. Critically, this vulnerability could be used to automatically create a new site administrator if the victim has enough privileges.\u00a0\n\nThe vendor was notified early about this vulnerability, but didn't respond with the details of vulnerability or vulnerable version range. Only versions 3.17.2 and\u00a03.18.0 were tested and confirmed as vulnerable, other versions were not tested and might also be vulnerable."}], "id": "CVE-2026-4420", "lastModified": "2026-04-07T13:20:11.643", "metrics": {"cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "NETWORK", "availabilityRequirement": "NOT_DEFINED", "baseScore": 5.1, "baseSeverity": "MEDIUM", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "LOW", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "LOW", "subIntegrityImpact": "LOW", "userInteraction": "PASSIVE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:L/VA:N/SC:L/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "NONE", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "LOW", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "cvd@cert.pl", "type": "Secondary"}]}, "published": "2026-04-07T11:16:07.810", "references": [{"source": "cvd@cert.pl", "url": "https://cert.pl/en/posts/2026/04/CVE-2026-4420"}, {"source": "cvd@cert.pl", "url": "https://github.com/bludit/bludit/"}], "sourceIdentifier": "cvd@cert.pl", "vulnStatus": "Awaiting Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "cvd@cert.pl", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "3.17.2"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "3.18.0"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "Bludit", "source": "cna", "vendor": "Bludit"}, "product": "bludit", "vendor": "bludit"}], "analysis": {"en": {"generated_at": "2026-04-07T12:20:23.552759+00:00", "value": {"mitigation_remediation": ["Apply the vendor\u2011issued patch or upgrade to a non\u2011vulnerable version as soon as it becomes available.", "Sanitize or remove the tags field from the page creation form to eliminate the vector for script injection.", "Restrict page\u2011creation privilege to trusted users and review access controls regularly.", "Disable or monitor the feature that permits automatic administrator creation to prevent unauthorized account escalation.", "Inspect site logs for anomalous account activity and remove any unexpectedly created administrator accounts."], "summary": {"action": "Immediate Patch", "impact": "Stored Cross\u2011Site Scripting via tags field"}, "threat_synthesis": {"affected_systems": "The vulnerability has been verified on Bludit versions\u202f3.17.2 and\u202f3.18.0. Other releases were not formally tested but are suspected to be affected as well, so any site running versions from this range should be treated as at risk.", "description_and_impact": "Bludit allows authenticated users with page\u2011creation rights to insert arbitrary JavaScript into the tags field of a newly created article. Because the tags field is rendered without escaping, the script runs in any browser that opens the article\u2019s URL, creating a classic stored XSS. An attacker can abuse this to steal session cookies, deface the site, execute arbitrary actions on behalf of the victim, or, if the victim possesses higher\u2011level administrative privileges, automatically create a new administrator account.", "risk_and_exploitability": "The CVSS score of 5.1 indicates moderate severity. Because the exploit requires an authenticated account with article\u2011creation rights, the risk is limited to sites with loose permission controls or where attackers can compromise a low\u2011privilege user. The missing EPSS data and absence from the KEV catalog suggest exploitation is not yet widespread, but the potential to elevate privileges by auto\u2011creating an administrator elevates the threat level for sites with exposed vulnerable functionality."}}}}, "created": "2026-04-08T19:38:29.120968+00:00", "updated": "2026-04-08T19:49:49.080359+00:00", "vendors": ["bludit", "bludit$PRODUCT$bludit"]}