Multiple Bludit CMS Flaws Enable RCE, XSS, and Session Hijacking
CERT Polska disclosed four vulnerabilities in the Bludit content management system, including an unrestricted file upload flaw tracked as CVE-2026-25099 that can lead to remote code execution, a stored XSS issue in image upload handling (CVE-2026-25100), a session fixation weakness that can enable session hijacking (CVE-2026-25101), and a separate stored XSS flaw in page creation tracked as CVE-2026-4420. The vulnerabilities were reported by researchers Arkadiusz Marta and Yassin Abdelrazek and affect multiple Bludit versions, with CVE-2026-25099 impacting all releases before 3.18.4, CVE-2026-25101 affecting versions before 3.17.2, CVE-2026-25100 affecting all versions through 3.18.2, and CVE-2026-4420 confirmed in 3.17.2 and 3.18.0.
The XSS flaws can be exploited by authenticated users with content or page creation privileges by injecting malicious JavaScript into uploaded SVG content or article tags, with payloads executing when victims access publicly reachable resources without authentication. CERT Polska said the page-creation XSS could be used to automatically create a new site administrator if the victim has sufficient privileges, while the file upload issue could allow direct server-side compromise through remote code execution. The agency also said vendor coordination was incomplete, noting the vendor stopped responding or did not provide details on remediation and affected version ranges, raising uncertainty over whether some future releases may remain vulnerable.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
6 events from the most recent confirmed update back to the earliest known activity.
CERT Polska discloses Bludit stored XSS flaw CVE-2026-4420
CERT Polska publicly disclosed CVE-2026-4420, a stored XSS vulnerability affecting confirmed Bludit versions 3.17.2 and 3.18.0. It noted the vendor did not respond with details about the vulnerability or affected version range during coordination.
Researcher reports CVE-2026-4420 in Bludit to CERT Polska
Researcher Yassin Abdelrazek responsibly reported a stored cross-site scripting vulnerability in Bludit's page creation functionality to CERT Polska. The flaw allowed an authenticated user with page creation privileges to inject JavaScript via the tags field and potentially create a new administrator if a privileged victim triggered it.
CERT Polska discloses three Bludit vulnerabilities
CERT Polska publicly disclosed CVE-2026-25099, CVE-2026-25100, and CVE-2026-25101 affecting Bludit. It said CVE-2026-25100 affected all versions through 3.18.2 and warned future versions might remain vulnerable because the vendor stopped responding during coordination.
Bludit fixes CVE-2026-25099 in version 3.18.4
Bludit version 3.18.4 fixed CVE-2026-25099, an unrestricted file upload flaw that could lead to remote code execution and affected versions before 3.18.4. CERT Polska disclosed the issue after coordination.
Bludit fixes CVE-2026-25101 in version 3.17.2
Bludit version 3.17.2 fixed CVE-2026-25101, a session fixation vulnerability affecting versions before 3.17.2. CERT Polska later identified this as one of the coordinatedly disclosed issues.
Researcher reports three Bludit vulnerabilities to CERT Polska
Researcher Arkadiusz Marta responsibly reported three vulnerabilities in the Bludit CMS to CERT Polska, initiating coordinated disclosure. The issues included unrestricted file upload leading to remote code execution, stored XSS in image upload handling, and session fixation.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
2 references tracked. Mallory keeps watching after this page renders.
See the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
Unauthenticated SQL Injection Flaws Expose Data in CMSsite and XATABoost CMS
Two content management systems were identified with **unauthenticated SQL injection** vulnerabilities that allow remote attackers to tamper with backend database queries and extract sensitive information. `CVE-2019-25697` affects **CMSsite 1.0**, where the `cat_id` parameter in `category.php` can be abused through crafted `GET` requests, potentially exposing usernames, credentials, and other database contents. A separate flaw, `CVE-2018-25300`, affects **XATABoost CMS 1.0.0** through a **union-based SQL injection** in the `id` parameter of `news.php`, also reachable remotely without authentication via crafted `GET` requests. Both records were published with **CWE-89** classification, CVSS v3.1 and v4.0 scoring data, and references to public advisories and exploit resources, underscoring the risk of database compromise in internet-exposed deployments.
Apr 29, 2026
Multiple Unrelated Critical Vulnerabilities Disclosed in October 2025
A series of critical and high-severity vulnerabilities affecting a diverse set of software products were publicly disclosed in October 2025. Epsilon RH by Grupo Castilla was found to have a SQL injection vulnerability (CVE-2025-41028) that allows attackers to manipulate the database by sending crafted POST requests to the 'sEstadoUsr' parameter in the '/epsilonnetws/WSAvisos.asmx' endpoint. Lanscope Endpoint Manager (CVE-2025-61932) was reported to have an improper origin verification flaw, enabling attackers to execute arbitrary code via specially crafted packets, though remote exploitation is not possible. Galaxy Software Services Vitals ESP Forum Module (CVE-2025-31342) was discovered to allow remote authenticated users to upload dangerous files, leading to arbitrary command execution. Fsas Technologies Inc.'s ETERNUS SF (CVE-2025-62577) contains incorrect default permissions, allowing low-privileged users to obtain database credentials and potentially escalate privileges to execute OS commands as an administrator. Excellent Infotek's Document Management System (CVE-2025-11948) is vulnerable to unauthenticated arbitrary file upload, enabling attackers to deploy web shells and execute code on the server. Vvveb CMS up to version 1.0.5 is susceptible to authenticated code injection via its Code Editor, allowing attackers to modify files and achieve remote code execution. The Theme Editor plugin for WordPress (CVE-2025-9890) is vulnerable to cross-site request forgery, which can be exploited to achieve remote code execution if an administrator is tricked into clicking a malicious link. The PPOM plugin for WooCommerce (CVE-2025-11391) allows unauthenticated arbitrary file uploads, posing a severe risk to affected e-commerce sites. The Appointments plugin for WordPress (CVE-2017-20206) and the Flickr Gallery plugin (CVE-2017-20207) both suffer from unauthenticated PHP object injection vulnerabilities, which have been actively exploited to create backdoors using the WP_Theme() class. RegistrationMagic (CVE-2017-20208) is also affected by a PHP object injection flaw, allowing attackers to fetch and install remote files. Finally, BLU-IC2 and BLU-IC4 devices (CVE-2025-11925) have an API that returns an incorrect Content-Type header, potentially enabling HTML/JavaScript injection in responses. Each of these vulnerabilities presents a significant risk, with several allowing remote code execution, privilege escalation, or the installation of persistent backdoors. The affected products span web applications, content management systems, endpoint management tools, and specialized enterprise software. Security teams are advised to review the specific advisories, apply patches or mitigations where available, and monitor for signs of exploitation, as several vulnerabilities have been reported as actively exploited in the wild. The diversity and severity of these disclosures underscore the ongoing need for rigorous vulnerability management and timely response to public advisories.
Mar 21, 2026
Unauthenticated RCE in com_mb24sysapi and High-Severity CSRF in DedeCMS
A newly recorded vulnerability, **CVE-2026-32968**, affects the `com_mb24sysapi` module and allows **unauthenticated remote code execution** through an OS command injection flaw. The weakness is classified as **CWE-78** and stems from improper neutralization of special elements in OS commands, enabling a remote attacker to execute arbitrary commands and potentially take full control of an affected system. The CVE is described as a variant of `CVE-2020-10383`, carries a **CVSS v3.1** vector of `AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H`, and is referenced by CERT VDE advisories **VDE-2026-024** and **VDE-2026-025**. A separate high-severity issue, **CVE-2026-29839**, was recorded for **DedeCMS v5.7.118** in the `/sys_task_add.php` component. The flaw is a **Cross-Site Request Forgery** vulnerability classified as **CWE-352**, and its updated **CVSS v3.1** vector is `AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H`, indicating that successful exploitation could significantly affect confidentiality, integrity, and availability. The record includes references to a public gist and the DedeCMS website, highlighting another internet-exposed web application weakness with potentially serious impact.
Mar 24, 2026