← voltar
CVE-2026-46656

Bludit CMS has improper authorization and mediation failure leading to persistent ghost sessions

CVSS 8.8 HIGHEPSS 0.3%CWE-285CWE-613
Vexday Risk Score
21Baixo
Decisão SSVC (CISA)
Track
Sem sinal de exploração → monitorar
CVSS 8.8EPSS 0.3%KEV nãoPoC Nuclei Metasploit Patch
Ciclo de vida
08 jun 2026Publicada no NVD
Recomendação: Monitorar — sem sinal de exploração no momento.
Bludit is a content management system. Versions prior to 3.22.0 have a Broken Access Control flaw where active sessions remain valid even after the corresponding user account has been physically deleted from the database. This "Ghost Session" allows revoked users to maintain full unauthorized access to the system. Version 3.22.0 fixes the issue.
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Produtos afetados
bludit · bludit

Quer saber se a sua infraestrutura está exposta a isto?

Falar com a TrueHacking →
Referências
https://github.com/bludit/bludit/commit/7931d1c55a3cc535911a9901c328f0197afe1c9fhttps://github.com/bludit/bludit/releases/tag/3.22.0https://github.com/bludit/bludit/security/advisories/GHSA-rpq2-j9w3-h4jw