CVE-2026-27741

Source
https://cve.org/CVERecord?id=CVE-2026-27741
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-27741.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2026-27741
Published
2026-02-23T22:01:57.417Z
Modified
2026-07-08T08:06:58.340956968Z
Severity
  • 5.1 (Medium) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N CVSS Calculator
Summary
Bludit <= 3.16.1 CSRF in Plugin and Theme Management Endpoints
Details

Bludit version 3.16.1 contains a cross-site request forgery (CSRF) vulnerability in the /admin/uninstall-plugin/ and /admin/install-theme/ endpoints. The application does not implement anti-CSRF tokens or other request origin validation mechanisms for these administrative actions. An attacker can induce an authenticated administrator to visit a malicious page that silently submits crafted requests, resulting in unauthorized plugin uninstallation or theme installation. This may lead to loss of functionality, execution of untrusted code via malicious themes, and compromise of system integrity.

Database specific
{
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/27xxx/CVE-2026-27741.json",
    "cna_assigner": "VulnCheck",
    "cwe_ids": [
        "CWE-352"
    ]
}
References

Affected packages

Git / github.com/bludit/bludit

Affected ranges

Type
GIT
Repo
https://github.com/bludit/bludit
Events
Database specific
{
    "source": [
        "AFFECTED_FIELD",
        "CPE_STRING"
    ],
    "cpe": "cpe:2.3:a:bludit:bludit:3.16.1:*:*:*:*:*:*:*",
    "extracted_events": [
        {
            "introduced": "0"
        },
        {
            "last_affected": "3.16.1"
        },
        {
            "introduced": "3.16.1"
        }
    ]
}

Affected versions

3.*
3.16.1

Database specific

source
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-27741.json"