CVE-2026-27741— Bludit <= 3.16.1 CSRF in Plugin and Theme Management Endpoints

Bludit <= 3.16.1 CSRF in Plugin and Theme Management Endpoints

Bludit version 3.16.1 contains a cross-site request forgery (CSRF) vulnerability in the /admin/uninstall-plugin/ and /admin/install-theme/ endpoints. The application does not implement anti-CSRF tokens or other request origin validation mechanisms for these administrative actions. An attacker can induce an authenticated administrator to visit a malicious page that silently submits crafted requests, resulting in unauthorized plugin uninstallation or theme installation. This may lead to loss of functionality, execution of untrusted code via malicious themes, and compromise of system integrity.

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N

跨站请求伪造(CSRF)

Bludit 跨站请求伪造漏洞

Bludit是Bludit开源的一套开源的轻量级博客内容管理系统（CMS）。 Bludit 3.16.1版本存在跨站请求伪造漏洞，该漏洞源于/admin/uninstall-plugin/和/admin/install-theme/端点缺少反CSRF令牌，可能导致跨站请求伪造攻击。

N/A

N/A