CVE-2026-25100

EPSS 0.05%
Veröffentlicht 27.03.2026 12:16:20
Zuletzt bearbeitet 01.04.2026 13:56:52
Quelle cvd@cert.pl
CVE-Watchlists
Login
Unerledigt
Login

Bludit is vulnerable to Stored Cross-Site Scripting (XSS) in its image upload functionality. An authenticated attacker with content upload privileges (such as Author, Editor, or Administrator) can upload an SVG file containing a malicious payload, which is executed when a victim visits the URL of the uploaded resource. The uploaded resource itself is accessible without authentication.

The vendor was notified early about this vulnerability, but stopped responding in the middle of coordination. All versions up to 3.18.2 are considered to be vulnerable, future versions might also be vulnerable.

Betroffene Produkte Warnungen 0 Metriken 3 CWE 1 Referenzen 5

Verknüpft mit AI von unstrukturierten Daten zu bestehenden CPE der NVD

Diese Information steht angemeldeten Benutzern zur Verfügung.

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

Bludit ≫ Bludit Version < 3.18.2

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	0.05%	0.149

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
nvd@nist.gov	5.4	2.3	2.7	CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
cvd@cert.pl	4.8	0	0	CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.

https://cert.pl/posts/2026/03/CVE-2026-25099

Third Party Advisory

https://github.com/bludit/bludit/releases/tag/3.18.2

Release Notes

https://nvd.nist.gov/vuln/detail/CVE-2026-25100

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2026-25100

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2026-25100

EUVD

Team-orientierte Vulnerability Management Plattform

Features der Plattform

CVE-2026-25100