CVE-2026-4420

Name of the Vulnerable Software and Affected Versions Bludit versions 3.17.2 and 3.18.0

Description Stored Cross-Site Scripting (XSS) exists in the page creating functionality. An authenticated attacker with page creation privileges, such as Author, Editor, or Administrator, can embed a malicious JavaScript payload in the tags field of a newly created article. This payload executes when a victim visits the URL of the uploaded resource, which is accessible without authentication. This issue could be used to automatically create a new site administrator if the victim possesses sufficient privileges.

Recommendations At the moment, there is no information about a newer version that contains a fix for this vulnerability.