CVE-2026-25101

Critical

Published: 27 March 2026

Published

27 March 2026

Modified

02 April 2026

KEV Added

—

Patch

—

CVSS Score 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

EPSS Score 0.0006 19.4th percentile

Risk Priority 20 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-25101 is a critical-severity Session Fixation (CWE-384) vulnerability in Bludit Bludit. Its CVSS base score is 9.8 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 19.4th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 IA-5 (Authenticator Management) and SC-23 (Session Authenticity).

Threat & Defense at a Glance

What attackers do: exploitation maps to Exploit Public-Facing Application (T1190) and 1 other technique. What defenders deploy: see the NIST 800-53 controls recommended below.

Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SC-23 Session Authenticity good match

prevent

SC-23 requires mechanisms to protect the authenticity of communications sessions, directly preventing session fixation attacks by ensuring session identifiers cannot be hijacked post-authentication.

IA-5 Authenticator Management good match

prevent

IA-5 mandates secure management of authenticators including session identifiers, requiring regeneration or protection to prevent fixation and unauthorized reuse.

SI-2 Flaw Remediation good match

prevent

SI-2 ensures timely identification, reporting, and correction of flaws like the session fixation vulnerability fixed in Bludit 3.17.2.

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

attack.mitre.org →

T1550.004 Web Session Cookie Lateral Movement

Adversaries can use stolen session cookies to authenticate to web applications and services.

attack.mitre.org →

Why these techniques?

Session fixation in public-facing CMS directly enables remote exploitation of the web app (T1190) and subsequent use of the attacker-chosen web session cookie for authenticated access (T1550.004).

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

NVD Description

Bludit allows user's session identifier to be set before authentication. The value of this session ID stays the same after authentication. This behavior enables an attacker to fix a session ID for a victim and later hijack the authenticated session.…

This issue was fixed in version 3.17.2.

Deeper analysisAI

CVE-2026-25101 is a session fixation vulnerability in Bludit, an open-source flat-file CMS. The flaw allows an attacker to set a user's session identifier before authentication, and this session ID remains unchanged after the user successfully logs in. This predictable session handling, tied to CWE-384 (Session Fixation), enables session hijacking and was assigned a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H). The issue affects Bludit versions prior to 3.17.2.

Unauthenticated attackers can exploit this remotely with low complexity and no user interaction required. By forcing a victim to use a predetermined session ID—such as through a crafted link or malicious site—the attacker positions themselves to hijack the victim's authenticated session once login occurs. Successful exploitation grants full access to the victim's privileges, potentially allowing confidentiality breaches, data manipulation, or other administrative actions depending on the victim's role.

Mitigation is available via the official patch in Bludit version 3.17.2, as detailed in the project's GitHub release notes. Security advisories, including those from CERT.pl, recommend immediate upgrades for affected installations to regenerate session IDs properly upon authentication.