CVE-2026-27741

Name of the Vulnerable Software and Affected Versions Bludit version 3.16.1

Description The application lacks anti-CSRF tokens or request origin validation for administrative actions. An attacker can trick an authenticated administrator into visiting a malicious page, which silently submits crafted requests. This can lead to unauthorized plugin uninstallation via the /admin/uninstall-plugin/ endpoint or theme installation via the /admin/install-theme/ endpoint. Successful exploitation may result in loss of functionality, execution of untrusted code through malicious themes, and compromise of system integrity.

Recommendations Apply updates to address the issue in Bludit version 3.16.1.