Bludit · Bludit · CVE-2026-4420
**Name of the Vulnerable Software and Affected Versions**
Bludit versions 3.17.2 and 3.18.0
**Description**
Stored Cross-Site Scripting (XSS) exists in the page creating functionality. An authenticated attacker with page creation privileges, such as Author, Editor, or Administrator, can embed a malicious JavaScript payload in the `tags` field of a newly created article. This payload executes when a victim visits the URL of the uploaded resource, which is accessible without authentication. This issue could be used to automatically create a new site administrator if the victim possesses sufficient privileges.
**Recommendations**
At the moment, there is no information about a newer version that contains a fix for this vulnerability.