CVE-2026-41456
MediumCVSS 5.1Exploitation Probability (EPSS)
Low risk30th percentile - higher than 30% of all known CVEs
Summary
Bludit CMS prior to commit 6732dde contains a reflected cross-site scripting vulnerability in the search plugin that allows unauthenticated attackers to inject arbitrary JavaScript by crafting a malicious search query. Attackers can execute malicious scripts in the browsers of users who visit crafted URLs containing the payload, potentially stealing session cookies or performing actions on behalf of affected users.
Risk Assessment
The risk for the organization includes the possibility of session theft and unauthorized actions performed on behalf of users, potentially leading to data confidentiality breaches and system integrity compromise.
Recommendation
It is recommended to immediately update Bludit CMS to a version containing commit 6732dde or later, and to implement input validation and encoding in the search plugin.
Original NVD description (English source)
Bludit CMS prior to commit 6732dde contains a reflected cross-site scripting vulnerability in the search plugin that allows unauthenticated attackers to inject arbitrary JavaScript by crafting a malicious search query. Attackers can execute malicious scripts in the browsers of users who visit crafted URLs containing the payload, potentially stealing session cookies or performing actions on behalf of affected users.

