Cross-Site Request Forgery in Bludit by Bludit
CVE-2026-27741

5.1MEDIUM

Key Information:

Vendor: Bludit
Status: Bludit
Vendor: CVE Published:; 23 February 2026

What is CVE-2026-27741?

Bludit version 3.16.1 suffers from a cross-site request forgery vulnerability within the administrative endpoints responsible for uninstalling plugins and installing themes. The application lacks essential anti-CSRF tokens and does not validate the request origin, allowing an attacker to trick an authenticated administrator into clicking on a malicious link. This action can lead to the unauthorized uninstallation of plugins or installation of untrusted themes, potentially compromising the integrity of the system and executing harmful code.

Affected Version(s)

Bludit 0 <= 3.16.1

References

https://github.com/bludit/bludit/issues/1577

issue-tracking

https://www.vulncheck.com/advisories/bludit-csrf-in-plugi...

third-party-advisory

CVSS V4

Score:

5.1

Severity:

MEDIUM

Confidentiality:

None

Integrity:

Low

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Attack Required:

None

Privileges Required:

Undefined

User Interaction:

Unknown

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Feb 23, 2026
Vulnerability Reserved
Feb 23, 2026

Credit

Ryan Chan (@RyanC34)

Beatriz Fresno Naumova

CVE-2026-27741 Data

JSON