Cyber Resilience

CVE-2026-25101

Medium

Published: 27 March 2026

Published
27 March 2026
Modified
02 April 2026
KEV Added
Patch
CVSS Score v4 4.8 CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:P/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0036 27.4th percentile
Risk Priority 35 floored blend · peak EPSS

Summary

CVE-2026-25101 is a medium-severity Session Fixation (CWE-384) vulnerability in Bludit Bludit. Its CVSS base score is 4.8 (Medium).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 27.4th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 IA-5 (Authenticator Management) and SC-23 (Session Authenticity).

Deeper analysis

CVE-2026-25101 is a session fixation vulnerability in Bludit, an open-source flat-file CMS. The flaw allows an attacker to set a user's session identifier before authentication, and this session ID remains unchanged after the user successfully logs in. This predictable session handling, tied to CWE-384 (Session Fixation), enables session hijacking and was assigned a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H). The issue affects Bludit versions prior to 3.17.2.

Unauthenticated attackers can exploit this remotely with low complexity and no user interaction required. By forcing a victim to use a predetermined session ID—such as through a crafted link or malicious site—the attacker positions themselves to hijack the victim's authenticated session once login occurs. Successful exploitation grants full access to the victim's privileges, potentially allowing confidentiality breaches, data manipulation, or other administrative actions depending on the victim's role.

Mitigation is available via the official patch in Bludit version 3.17.2, as detailed in the project's GitHub release notes. Security advisories, including those from CERT.pl, recommend immediate upgrades for affected installations to regenerate session IDs properly upon authentication.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

Bludit allows user's session identifier to be set before authentication. The value of this session ID stays the same after authentication. This behavior enables an attacker to fix a session ID for a victim and later hijack the authenticated session.…

more

This issue was fixed in version 3.17.2.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1550.004 Web Session Cookie Lateral Movement
Adversaries can use stolen session cookies to authenticate to web applications and services.
Why these techniques?

Session fixation in public-facing CMS directly enables remote exploitation of the web app (T1190) and subsequent use of the attacker-chosen web session cookie for authenticated access (T1550.004).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-25099Same product: Bludit Bludit
CVE-2025-27661Shared CWE-384
CVE-2025-7015Shared CWE-384
CVE-2022-40916Shared CWE-384
CVE-2026-2177Shared CWE-384
CVE-2026-24352Shared CWE-384
CVE-2026-33492Shared CWE-384
CVE-2026-23796Shared CWE-384
CVE-2023-53776Shared CWE-384
CVE-2025-52689Shared CWE-384

Affected Assets

bludit
bludit
≤ 3.17.2

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

SC-23 requires mechanisms to protect the authenticity of communications sessions, directly preventing session fixation attacks by ensuring session identifiers cannot be hijacked post-authentication.

prevent

IA-5 mandates secure management of authenticators including session identifiers, requiring regeneration or protection to prevent fixation and unauthorized reuse.

prevent

SI-2 ensures timely identification, reporting, and correction of flaws like the session fixation vulnerability fixed in Bludit 3.17.2.

References