{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-41456", "assignerOrgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10", "state": "PUBLISHED", "assignerShortName": "VulnCheck", "dateReserved": "2026-04-20T16:07:47.310Z", "datePublished": "2026-04-21T18:03:00.332Z", "dateUpdated": "2026-04-21T18:46:34.003Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10", "shortName": "VulnCheck", "dateUpdated": "2026-04-21T18:03:00.332Z"}, "title": "Bludit CMS Reflected XSS via Search Plugin", "problemTypes": [{"descriptions": [{"lang": "en", "cweId": "CWE-79", "description": "CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", "type": "CWE"}]}], "affected": [{"vendor": "bludit", "product": "bludit", "repo": "https://github.com/bludit/bludit", "versions": [{"status": "affected", "version": "0", "lessThanOrEqual": "3.20", "versionType": "semver"}, {"status": "affected", "version": "6732ddedda8b73ce0a017a1b6adf685100244e01", "versionType": "git"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "Bludit CMS prior to commit 6732dde contains a reflected cross-site scripting vulnerability in the search plugin that allows unauthenticated attackers to inject arbitrary JavaScript by crafting a malicious search query. Attackers can execute malicious scripts in the browsers of users who visit crafted URLs containing the payload, potentially stealing session cookies or performing actions on behalf of affected users.", "supportingMedia": [{"type": "text/html", "base64": false, "value": "Bludit CMS prior to commit 6732dde contains a reflected cross-site scripting vulnerability in the search plugin that allows unauthenticated attackers to inject arbitrary JavaScript by crafting a malicious search query. Attackers can execute malicious scripts in the browsers of users who visit crafted URLs containing the payload, potentially stealing session cookies or performing actions on behalf of affected users.<br>"}]}], "references": [{"url": "https://gist.github.com/thepiyushkumarshukla/36b213cdb3c7d603e23fd23605cd681e", "tags": ["technical-description", "exploit"]}, {"url": "https://github.com/bludit/bludit/pull/1691", "tags": ["issue-tracking"]}, {"url": "https://github.com/bludit/bludit/commit/6732ddedda8b73ce0a017a1b6adf685100244e01", "tags": ["patch"]}, {"url": "https://www.vulncheck.com/advisories/bludit-cms-reflected-xss-via-search-plugin", "tags": ["third-party-advisory"]}], "metrics": [{"format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}], "cvssV4_0": {"attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "userInteraction": "ACTIVE", "vulnConfidentialityImpact": "NONE", "subConfidentialityImpact": "LOW", "vulnIntegrityImpact": "NONE", "subIntegrityImpact": "LOW", "vulnAvailabilityImpact": "NONE", "subAvailabilityImpact": "NONE", "exploitMaturity": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED", "version": "4.0", "baseSeverity": "MEDIUM", "baseScore": 5.1, "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N"}}], "credits": [{"lang": "en", "value": "Piyush Kumar Shukla", "type": "finder"}], "source": {"discovery": "EXTERNAL"}, "x_generator": {"engine": "Vulnogram 1.0.1"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-04-21T18:46:25.604166Z", "id": "CVE-2026-41456", "options": [{"Exploitation": "poc"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-21T18:46:34.003Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-41456", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-04-21T18:46:25.604166Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-21T18:46:29.123Z"}}], "cna": {"title": "Bludit CMS Reflected XSS via Search Plugin", "source": {"discovery": "EXTERNAL"}, "credits": [{"lang": "en", "type": "finder", "value": "Piyush Kumar Shukla"}], "metrics": [{"format": "CVSS", "cvssV4_0": {"Safety": "NOT_DEFINED", "version": "4.0", "Recovery": "NOT_DEFINED", "baseScore": 5.1, "Automatable": "NOT_DEFINED", "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N", "exploitMaturity": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED", "userInteraction": "ACTIVE", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "subIntegrityImpact": "LOW", "vulnIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "LOW", "vulnConfidentialityImpact": "NONE", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"repo": "https://github.com/bludit/bludit", "vendor": "bludit", "product": "bludit", "versions": [{"status": "affected", "version": "0", "versionType": "semver", "lessThanOrEqual": "3.20"}, {"status": "affected", "version": "6732ddedda8b73ce0a017a1b6adf685100244e01", "versionType": "git"}], "defaultStatus": "unaffected"}], "references": [{"url": "https://gist.github.com/thepiyushkumarshukla/36b213cdb3c7d603e23fd23605cd681e", "tags": ["technical-description", "exploit"]}, {"url": "https://github.com/bludit/bludit/pull/1691", "tags": ["issue-tracking"]}, {"url": "https://github.com/bludit/bludit/commit/6732ddedda8b73ce0a017a1b6adf685100244e01", "tags": ["patch"]}, {"url": "https://www.vulncheck.com/advisories/bludit-cms-reflected-xss-via-search-plugin", "tags": ["third-party-advisory"]}], "x_generator": {"engine": "Vulnogram 1.0.1"}, "descriptions": [{"lang": "en", "value": "Bludit CMS prior to commit 6732dde contains a reflected cross-site scripting vulnerability in the search plugin that allows unauthenticated attackers to inject arbitrary JavaScript by crafting a malicious search query. Attackers can execute malicious scripts in the browsers of users who visit crafted URLs containing the payload, potentially stealing session cookies or performing actions on behalf of affected users.", "supportingMedia": [{"type": "text/html", "value": "Bludit CMS prior to commit 6732dde contains a reflected cross-site scripting vulnerability in the search plugin that allows unauthenticated attackers to inject arbitrary JavaScript by crafting a malicious search query. Attackers can execute malicious scripts in the browsers of users who visit crafted URLs containing the payload, potentially stealing session cookies or performing actions on behalf of affected users.<br>", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-79", "description": "CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')"}]}], "providerMetadata": {"orgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10", "shortName": "VulnCheck", "dateUpdated": "2026-04-21T18:03:00.332Z"}}}, "cveMetadata": {"cveId": "CVE-2026-41456", "state": "PUBLISHED", "dateUpdated": "2026-04-21T18:46:34.003Z", "dateReserved": "2026-04-20T16:07:47.310Z", "assignerOrgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10", "datePublished": "2026-04-21T18:03:00.332Z", "assignerShortName": "VulnCheck"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Bludit CMS prior to commit 6732dde contains a reflected cross-site scripting vulnerability in the search plugin that allows unauthenticated attackers to inject arbitrary JavaScript by crafting a malicious search query. Attackers can execute malicious scripts in the browsers of users who visit crafted URLs containing the payload, potentially stealing session cookies or performing actions on behalf of affected users."}], "id": "CVE-2026-41456", "lastModified": "2026-04-21T19:16:18.557", "metrics": {"cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "NETWORK", "availabilityRequirement": "NOT_DEFINED", "baseScore": 5.1, "baseSeverity": "MEDIUM", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "NONE", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "LOW", "subIntegrityImpact": "LOW", "userInteraction": "ACTIVE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "NONE", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "NONE", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "disclosure@vulncheck.com", "type": "Secondary"}]}, "published": "2026-04-21T19:16:18.557", "references": [{"source": "disclosure@vulncheck.com", "url": "https://gist.github.com/thepiyushkumarshukla/36b213cdb3c7d603e23fd23605cd681e"}, {"source": "disclosure@vulncheck.com", "url": "https://github.com/bludit/bludit/commit/6732ddedda8b73ce0a017a1b6adf685100244e01"}, {"source": "disclosure@vulncheck.com", "url": "https://github.com/bludit/bludit/pull/1691"}, {"source": "disclosure@vulncheck.com", "url": "https://www.vulncheck.com/advisories/bludit-cms-reflected-xss-via-search-plugin"}], "sourceIdentifier": "disclosure@vulncheck.com", "vulnStatus": "Received", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "disclosure@vulncheck.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "[0,3.20]"}}, {"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "6732ddedda8b73ce0a017a1b6adf685100244e01"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "bludit", "source": "cna", "vendor": "bludit"}, "product": "bludit", "vendor": "bludit"}], "analysis": {"en": {"generated_at": "2026-04-22T05:36:37.974541+00:00", "value": {"mitigation_remediation": ["Upgrade to a Bludit release that includes commit 6732dde or later, which sanitizes the search query.", "Verify that the search functionality reflects inputs only in a safe manner; if the patch cannot be applied, disable or remove the search plugin from the site.", "As an interim precaution, enforce input validation on the search field to strip out HTML tags or script content."], "summary": {"action": "Immediate Patch", "impact": "Reflected Cross\u2011Site Scripting"}, "threat_synthesis": {"affected_systems": "Affected products include Bludit CMS versions released before the security commit 6732dde. Users running those versions are susceptible; the specific affected release range is not listed, but the commit that resolves the issue is available on GitHub, and advisory references indicate that any pre\u2011commit version is vulnerable.", "description_and_impact": "The flaw exists in the Bludit CMS search plugin, where user\u2011supplied search terms are echoed into the page without proper escaping, allowing an unauthenticated attacker to inject arbitrary JavaScript. The result is a reflected XSS that can run when other users visit the crafted URL, enabling cookie theft or user\u2011context actions. This vulnerability corresponds to CWE\u201179.", "risk_and_exploitability": "The CVSS base score of 5.1 indicates moderate severity. Because the vulnerability is user\u2011initiated and requires only a crafted URL, the attack surface is wide and feasible; however, the EPSS score is not available, so the current exploitation probability is unknown. The flaw is not listed in CISA KEV, but because it is reflected XSS, any user can trigger it, making it potentially impactful for session hijacking or defacement."}}}}, "created": "2026-04-22T04:30:05.163870+00:00", "updated": "2026-04-22T05:45:09.822852+00:00", "vendors": ["bludit", "bludit$PRODUCT$bludit"]}