CVE-2026-27741

Bludit <= 3.16.1 CSRF in Plugin and Theme Management Endpoints

CVSS 5.1 MEDIUMEPSS 0.1%CWE-352

Vexday Risk Score

13Low

SSVC decision (CISA)

Track

No exploitation signal → monitor

CVSS 5.1EPSS 0.1%KEV nãoPoC —Nuclei —Metasploit —Patch —

Lifecycle

23 Feb 2026Published on NVD

Recommendation: Monitor — no exploitation signal at the moment.

Bludit version 3.16.1 contains a cross-site request forgery (CSRF) vulnerability in the /admin/uninstall-plugin/ and /admin/install-theme/ endpoints. The application does not implement anti-CSRF tokens or other request origin validation mechanisms for these administrative actions. An attacker can induce an authenticated administrator to visit a malicious page that silently submits crafted requests, resulting in unauthorized plugin uninstallation or theme installation. This may lead to loss of functionality, execution of untrusted code via malicious themes, and compromise of system integrity.

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N

Affected products

Bludit · Bludit

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →

References

https://github.com/bludit/bludit/issues/1577 https://www.vulncheck.com/advisories/bludit-csrf-in-plugin-and-theme-management-endpoints