← Volver a CVEs
CVE-2026-27741
MEDIUM4.3
Descripcion
Bludit version 3.16.1 contains a cross-site request forgery (CSRF) vulnerability in the /admin/uninstall-plugin/ and /admin/install-theme/ endpoints. The application does not implement anti-CSRF tokens or other request origin validation mechanisms for these administrative actions. An attacker can induce an authenticated administrator to visit a malicious page that silently submits crafted requests, resulting in unauthorized plugin uninstallation or theme installation. This may lead to loss of functionality, execution of untrusted code via malicious themes, and compromise of system integrity.
Detalles CVE
Puntuacion CVSS v3.14.3
SeveridadMEDIUM
Vector CVSSCVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N
Vector de ataqueNETWORK
ComplejidadLOW
Privilegios requeridosNONE
Interaccion usuarioREQUIRED
Publicado2/23/2026
Ultima modificacion2/26/2026
Fuentenvd
Avistamientos honeypot0
Productos afectados
bludit:bludit
Debilidades (CWE)
CWE-352
Referencias
https://github.com/bludit/bludit/issues/1577(disclosure@vulncheck.com)
https://www.vulncheck.com/advisories/bludit-csrf-in-plugin-and-theme-management-endpoints(disclosure@vulncheck.com)
Correlaciones IOC
Sin correlaciones registradas
This product uses data from the NVD API but is not endorsed or certified by the NVD.