CVE-2026-4420 MEDIUM

CVE-2026-4420: Stored XSS via Page Creating functionality in Bludit

Vendor Bludit

Product Bludit

Weakness CWE-79 · XSS

Published April 7, 2026

Last update April 7, 2026

View on NVD All CVEs

CVSS base score

5.1/10

Attack vector Network

Attack complexity Low

Privileges required Low

User interaction —

Confidentiality —

Integrity —

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:L/VA:N/SC:L/SI:L/SA:N

What the vulnerability does

01Description

Bludit is vulnerable to Stored Cross-Site Scripting (XSS) in its page creating functionality. An authenticated attacker with page creation privileges (such as Author, Editor, or Administrator) can embed a malicious JavaScript payload in the tags field of a newly created article. This payload will be executed when a victim visits the URL of the uploaded resource. The uploaded resource itself is accessible without authentication. Critically, this vulnerability could be used to automatically create a new site administrator if the victim has enough privileges. The vendor was notified early about this vulnerability, but didn't respond with the details of vulnerability or vulnerable version range. Only versions 3.17.2 and 3.18.0 were tested and confirmed as vulnerable, other versions were not tested and might also be vulnerable.

Key dates

02Disclosure timeline

April 7, 2026 CVE published

April 7, 2026 Record updated

External resources

03References

NVD — National Vulnerability Database https://nvd.nist.gov/vuln/detail/CVE-2026-4420 CWE — Common Weakness Enumeration https://cwe.mitre.org/data/definitions/79.html

Related vulnerabilities

Identifiers

CVE CVE-2026-4420

CWE CWE-79

CVSS 5.1 / MEDIUM

Affected versions

Vendor Bludit

Product Bludit

Affected 3.17.2

Vendor Bludit

Product Bludit

Affected 3.18.0

CVE-2026-4420: Stored XSS via Page Creating functionality in Bludit

01Description

02Disclosure timeline

03References

04Related CVE