Every CVE whose affected-product data names Bludit, ordered by CVSS severity, with EPSS exploit prediction and CISA KEV status.
CVEs (42)
CVE-2019-17240 — CVSS 9.8 (critical): bl-kernel/security.class.php in Bludit 3.9.2 allows attackers to bypass a brute-force protection mechanism by using many different forged…
CVE-2020-18879 — CVSS 9.8 (critical): Unrestricted File Upload in Bludit v3.8.1 allows remote attackers to execute arbitrary code by uploading malicious files via the component…
CVE-2026-25101 — CVSS 9.8 (critical): Bludit allows user's session identifier to be set before authentication. The value of this session ID stays the same after authentication…
CVE-2020-20495 — CVSS 9.1 (critical): bludit v3.13.0 contains an arbitrary file deletion vulnerability in the backup plugin via the `deleteBackup' parameter.
CVE-2020-18190 — CVSS 9.1 (critical): Bludit v3.8.1 is affected by directory traversal. Remote attackers are able to delete arbitrary files via /admin/ajax/upload-profile-picture…
CVE-2023-31572 — CVSS 8.8 (high): An issue in Bludit 4.0.0-rc-2 allows authenticated attackers to change the Administrator password and escalate privileges via a crafted…
CVE-2024-24552 — CVSS 8.8 (high): A session fixation vulnerability in Bludit allows an attacker to bypass the server's authentication if they can trick an administrator or…
CVE-2024-24551 — CVSS 8.8 (high): A security vulnerability has been identified in Bludit, allowing authenticated attackers to execute arbitrary code through the Image API…
CVE-2019-12548 — CVSS 8.8 (high): Bludit before 3.9.0 allows remote code execution for an authenticated user by uploading a php file while changing the logo through…
CVE-2019-12742 — CVSS 8.8 (high): Bludit prior to 3.9.1 allows a non-privileged user to change the password of any account, including admin. This occurs because of…
CVE-2019-16113 — CVSS 8.8 (high): Bludit 3.9.2 allows remote code execution via bl-kernel/ajax/upload-images.php because PHP code can be entered with a .jpg file name, and…
CVE-2026-25099 — CVSS 8.8 (high): Bludit’s API plugin allows an authenticated attacker with a valid API token to upload files of any type and extension without…
CVE-2018-1000811 — CVSS 8.8 (high): bludit version 3.0.0 contains a Unrestricted Upload of File with Dangerous Type vulnerability in Content Upload in Pages Editor that can…
CVE-2024-24554 — CVSS 8.2 (high): Bludit uses predictable methods in combination with the MD5 hashing algorithm to generate sensitive tokens such as the API token and the…
CVE-2024-24550 — CVSS 8.1 (high): A security vulnerability has been identified in Bludit, allowing attackers with knowledge of the API token to upload arbitrary files…
CVE-2021-25808 — CVSS 7.8 (high): A code injection vulnerability in backup/plugin.php of Bludit 3.13.1 allows attackers to execute arbitrary code via a crafted ZIP file.
CVE-2023-24674 — CVSS 7.8 (high): Permissions vulnerability found in Bludit CMS v.4.0.0 allows local attackers to escalate privileges via the role:admin parameter.
CVE-2024-24553 — CVSS 7.5 (high): Bludit uses the SHA-1 hashing algorithm to compute password hashes. Thus, attackers could determine cleartext passwords with brute-force…
CVE-2020-23765 — CVSS 7.2 (high): A file upload vulnerability was discovered in the file path /bl-plugins/backup/plugin.php on Bludit version 3.12.0. If an attacker is able…
CVE-2020-19228 — CVSS 7.2 (high): An issue was found in bludit v3.13.0, unsafe implementation of the backup plugin allows attackers to upload arbitrary files.
CVE-2023-53907 — CVSS 6.5 (medium): Bludit versions before 3.13.1 contain an authenticated file download vulnerability in the Backup Plugin that allows logged-in users to…
CVE-2023-31698 — CVSS 5.4 (medium): Bludit v3.14.1 is vulnerable to Stored Cross Site Scripting (XSS) via SVG file on site logo. NOTE: the product's security model is that…
CVE-2023-34845 — CVSS 5.4 (medium): Bludit v3.14.1 was discovered to contain an arbitrary file upload vulnerability in the component /admin/new-content. This vulnerability…
CVE-2026-4420 — CVSS 5.4 (medium): Bludit is vulnerable to Stored Cross-Site Scripting (XSS) in its page creating functionality. An authenticated attacker with page creation…
CVE-2021-45745 — CVSS 5.4 (medium): A Stored Cross Site Scripting (XSS) vulnerability exists in Bludit 3.13.1 via the About Plugin in login panel.
CVE-2020-8812 — CVSS 5.4 (medium): Bludit 3.10.0 allows Editor or Author roles to insert malicious JavaScript on the WYSIWYG editor. NOTE: the vendor's perspective is that…
CVE-2017-16636 — CVSS 5.4 (medium): In Bludit v1.5.2 and v2.0.1, an XSS vulnerability is located in the new page, new category, and edit post function body message context…
CVE-2020-15006 — CVSS 5.4 (medium): Bludit 3.12.0 allows stored XSS via JavaScript code in an SVG document to bl-kernel/ajax/logo-upload.php.
CVE-2026-25100 — CVSS 5.4 (medium): Bludit is vulnerable to Stored Cross-Site Scripting (XSS) in its image upload functionality. An authenticated attacker with content upload…
CVE-2026-27742 — CVSS 5.4 (medium): Bludit version 3.16.2 contains a stored cross-site scripting (XSS) vulnerability in the post content functionality. The application…
CVE-2021-45744 — CVSS 5.4 (medium): A Stored Cross Site Scripting (XSS) vulnerability exists in bludit 3.13.1 via the TAGS section in login panel.
CVE-2020-15026 — CVSS 4.9 (medium): Bludit 3.12.0 allows admins to use a /plugin-backup-download?file=../ directory traversal approach for arbitrary file download via…
CVE-2023-24675 — CVSS 4.8 (medium): Cross Site Scripting Vulnerability in BluditCMS v.3.14.1 allows attackers to execute arbitrary code via the Categories Friendly URL.
CVE-2024-25297 — CVSS 4.8 (medium): Cross Site Scripting (XSS) vulnerability in Bludit CMS version 3.15, allows remote attackers to execute arbitrary code and obtain sensitive…
CVE-2019-16334 — CVSS 4.8 (medium): In Bludit v3.9.2, there is a persistent XSS vulnerability in the Categories -> Add New Category -> Name field. NOTE: this may overlap…
CVE-2020-8811 — CVSS 4.3 (medium): ajax/profile-picture-upload.php in Bludit 3.10.0 allows authenticated users to change other users' profile pictures.
CVE-2026-27741 — CVSS 4.3 (medium): Bludit version 3.16.1 contains a cross-site request forgery (CSRF) vulnerability in the /admin/uninstall-plugin/ and /admin/install-theme/…
CVE-2022-1590 — CVSS 3.5 (low): A vulnerability was found in Bludit 3.13.1. It has been declared as problematic. This vulnerability affects the endpoint /admin/new-content…