CVE-2026-27742 MEDIUM

CVE-2026-27742: Bludit <= 3.16.2 Stored XSS in Post Content

Vendor Bludit
Product Bludit
Weakness CWE-79 · XSS
Published February 23, 2026
Last update March 5, 2026
View on NVD All CVEs

CVSS base score

5.1/10
Attack vector Network
Attack complexity Low
Privileges required Low
User interaction
Confidentiality
Integrity

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N

What the vulnerability does

01Description

Bludit version 3.16.2 contains a stored cross-site scripting (XSS) vulnerability in the post content functionality. The application performs client-side sanitation of content input but does not enforce equivalent sanitation on the server side. An authenticated user can inject arbitrary JavaScript into the content field of a post, which is stored and later rendered to other users without proper output encoding. When viewed, the injected script executes in the context of the victim’s browser, allowing session hijacking, credential theft, content manipulation, or other actions within the user’s privileges.

Key dates

02Disclosure timeline

February 23, 2026 CVE published
March 5, 2026 Record updated

Related vulnerabilities

04Related CVE

CVE-2025-40721 Reflected Cross-site Scripting (XSS) vulnerability in Quiter Gateway CVE-2024-9158 XSS CVE-2026-41318 AnythingLLM vulnerable to stored DOM XSS in chart caption renderer - LLM-driven prompt injection produces executable HTML via unsanitized renderMarkdown(content.caption) in Chartable component CVE-2026-39970 TypeBot: Stored Cross-Site Scripting (XSS) via SVG File Upload On Profile Picture Form CVE-2025-5972 PHPGurukul Restaurant Table Booking System manage-subadmins.php cross site scripting