CVE•Published 2026-06-08•Modified 2026-06-08•0 articles on news•5 live references•NVD data

CVE-2026-46657

Vulnerability data via NVD (ingested)

CVSS v3.1

7.1

HIGH

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:N

EPSS percentile

—

Weaknesses (CWE)

CWE-212Improper Removal of Sensitive Information Before Storage or Transfer CWE-613Insufficient Session Expiration

Description

Bludit is a content management system. Versions prior to 3.22.0 have a vulnerability in the user management logic that allows deactivated accounts to maintain access via persistent authentication tokens. When an administrator disables a user account, the application fails to invalidate or clear the associated tokenAuth and tokenRemember fields in the JSON database. Consequently, any user with a pre-existing "Remember Me" cookie can bypass the account disablement and maintain a valid authenticated state. Version 3.22.0 patches the issue.

Timeline

Published 2026-06-08

Modified 2026-06-08

External references

NVD MITRE Exploit-DB Sploitus VulnCheck

Search for exposed instances

Shodan + Censys queries derived from NVD's CPE data. The vuln tag catches assets Shodan has explicitly linked to this CVE; the product / banner fingerprints find exposed instances even when the vuln tag was never applied (which is common). Live host counts are a Premium feature.

Shodan · vuln tag

vuln:CVE-2026-46657

Hosts Shodan has explicitly fingerprinted as vulnerable.

More intel sources (5)

Shodan report

vuln:CVE-2026-46657

Country / ASN / product breakdown for the vuln query.

Censys

vulnerabilities.cve_id: CVE-2026-46657

Censys host search filtered to this CVE id.

grep.app

CVE-2026-46657