CVE-2026-41456 MEDIUM

CVE-2026-41456: Bludit CMS Reflected XSS via Search Plugin

Vendor Bludit
Product bludit
Weakness CWE-79 · XSS
Published April 21, 2026
Last update May 14, 2026

CVSS base score

5.1/10
Attack vector Network
Attack complexity Low
Privileges required None
User interaction
Confidentiality
Integrity

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N

What the vulnerability does

01Description

Bludit CMS prior to commit 6732dde contains a reflected cross-site scripting vulnerability in the search plugin that allows unauthenticated attackers to inject arbitrary JavaScript by crafting a malicious search query. Attackers can execute malicious scripts in the browsers of users who visit crafted URLs containing the payload, potentially stealing session cookies or performing actions on behalf of affected users.

Key dates

02Disclosure timeline

April 21, 2026 CVE published
May 14, 2026 Record updated