CVE-2026-27741

MEDIUM SEVERITY

CVSS Score & Metrics

Base Score

4.3 / 10

Vector String

                                        CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N                                    

Vulnerability Description

Bludit version 3.16.1 contains a cross-site request forgery (CSRF) vulnerability in the /admin/uninstall-plugin/ and /admin/install-theme/ endpoints. The application does not implement anti-CSRF tokens or other request origin validation mechanisms for these administrative actions. An attacker can induce an authenticated administrator to visit a malicious page that silently submits crafted requests, resulting in unauthorized plugin uninstallation or theme installation. This may lead to loss of functionality, execution of untrusted code via malicious themes, and compromise of system integrity.

Vulnerability Details

Published Date

February 23, 2026

Last Modified

February 26, 2026

CWE ID

CWE-352

Source

NVD

Vendor

Bludit

Product

Bludit

External References

https://github.com/bludit/bludit/issues/1577
https://www.vulncheck.com/advisories/bludit-csrf-in-plugin-and-theme-management-endpoints

CVE-2026-27741

CVSS Score & Metrics

Vulnerability Description

Vulnerability Details

External References

Discussion (0)

Add Comment