CVE-2026-25101 | THREATINT

Description

Bludit allows user's session identifier to be set before authentication. The value of this session ID stays the same after authentication. This behavior enables an attacker to fix a session ID for a victim and later hijack the authenticated session. This issue was fixed in version 3.17.2.

PUBLISHED Reserved 2026-01-29 | Published 2026-03-27 | Updated 2026-03-27 | Assigner CERT-PL

MEDIUM: 4.8CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:P/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N

Problem types

CWE-384 Session Fixation

Product status

Default status

unaffected

Any version before 3.17.2

affected

Credits

Arkadiusz Marta finder

References

cert.pl/posts/2026/03/CVE-2026-25099 third-party-advisory

github.com/bludit/bludit/releases/tag/3.17.2 release-notes

cve.org (CVE-2026-25101)

nvd.nist.gov (CVE-2026-25101)

Download JSON