CVE-2026-25100
Stored XSS via SVG File Upload in BluditBludit is vulnerable to Stored Cross-Site Scripting (XSS) in its image upload functionality. An authenticated attacker with content upload privileges (such as Author, Editor, or Administrator) can upload an SVG file containing a malicious payload, which is executed when a victim visits the URL of the uploaded resource. The uploaded resource itself is accessible without authentication. The vendor was notified early about this vulnerability, but stopped responding in the middle of coordination. All versions up to 3.18.2 are considered to be vulnerable, future versions might also be vulnerable.
We have discovered 1,299 live websites that are affected by CVE-2026-25100.
Affected Software
| Product | |
| Category | Content Management System |
| Vulnerable Domains | 1,299 live websites (100% of Bludit install base) |
| Vulnerable Versions |
|
| Vulnerable Versions Count | 20 versions ( 91% of all versions) |
Common Weakness Enumeration
CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')Details
- Published - Mar 27, 2026
- Updated - Mar 27, 2026
Credits
- Arkadiusz Marta (finder)
CVE References
CWE References
CWE
Website Distribution by Country
Number of websites using CVE-2026-25100 United States | 254 websites |
 Germany | 415 websites |
 Ukraine | 138 websites |
 France | 73 websites |
 Poland | 63 websites |
 Russia | 58 websites |
 Switzerland | 46 websites |
 Czech Republic | 24 websites |
 GB | 23 websites |
 Italy | 19 websites |
Website Distribution by TLD
Number of websites using CVE-2026-25100| .de | 318 websites |
| .com | 249 websites |
| .fr | 86 websites |
| .net | 56 websites |
| .ru | 50 websites |
| .pl | 47 websites |
| .org | 47 websites |
| .ch | 44 websites |
| .eu | 26 websites |
| .cz | 23 websites |
Vulnerable Versions
Vulnerable versions are highlighted in redWebsites affected by CVE-2026-25100
Top websites that are affected by CVE-2026-25100. Please click on the "Contact us" link to get more information.| Domain | Country | Rank | Contacts |
|---|---|---|---|
| ******.de | Germany | *,*** | |
| *******.de | Germany | *,*** | |
| *************.de | Germany | *,*** | |
| *****************.jetzt | Germany | **,*** | |
| ************.io | United States | **,*** | |
| ********.com | United States | ***,*** | |
| *********.com | United States | ***,*** | |
| ******.de | Germany | ***,*** | |
| *****.com | United States | ***,*** | |
| ************.eu | United States | ***,*** |
FAQ
CVE-2026-25100 is Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in Bludit
A total of 1,299 websites have been identified as vulnerable to CVE-2026-25100, based on global website indexing conducted by WebTechSurvey.
The Bludit is affected by the CVE-2026-25100 vulnerability.
Bludit versions up to and including 3.18.2 are vulnerable to CVE-2026-25100.