Skip to main content

Bolt CMS CVE-2026-39229

| EUVDEUVD-2026-33350 MEDIUM
SQL Injection (CWE-89)
2026-05-29 cve@mitre.org GHSA-j85r-p3j3-xxp2
6.5
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
6.5 MEDIUM
AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
None
Availability
None

Lifecycle Timeline

3
Analysis Generated
May 29, 2026 - 20:22 vuln.today
CVSS changed
May 29, 2026 - 20:22 NVD
6.5 (MEDIUM)
CVE Published
May 29, 2026 - 16:16 nvd
UNKNOWN (no severity yet)

DescriptionCVE.org

Bolt CMS through 3.7.0 allows SQL Injection in the 'order' parameter of the content listing pages. An authenticated attacker with low-level privileges can exploit this through the OrderDirective component. This allows for the extraction of sensitive information

AnalysisAI

SQL Injection in Bolt CMS through version 3.7.0 exposes sensitive database contents to any authenticated low-privilege user via the unsanitized 'order' parameter on content listing pages. The CVSS vector (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N) confirms network-exploitable, low-complexity access requiring only a low-privileged account, with full confidentiality impact but no integrity or availability impact - placing this squarely in the data-exfiltration threat category. No public exploit confirmed at time of analysis, and no vendor-released patch has been identified from available data.

Technical ContextAI

Bolt CMS is a PHP-based open-source content management system. The vulnerability resides in the OrderDirective component, which processes the 'order' GET/POST parameter used to sort content listing pages. CWE-89 (Improper Neutralization of Special Elements used in an SQL Command) indicates that user-supplied input for the sort column/direction is concatenated into a SQL query without adequate parameterization or escaping. Because ORDER BY clauses cannot be parameterized using standard prepared statement placeholders in most database drivers, developers often resort to allowlisting or manual sanitization - the absence of either here allows attackers to inject arbitrary SQL expressions. The affected codebase is available at github.com/bolt/bolt; the EUVD record EUVD-2026-33350 corroborates the NVD entry.

RemediationAI

No vendor-released patch has been identified at time of analysis - the available references do not point to a tagged release addressing this issue, only to the upstream GitHub repository and the project homepage. Operators should monitor boltcms.io and the bolt/bolt GitHub repository for a remediated release. As compensating controls, restrict CMS account creation and low-privilege role assignment to fully trusted users, since the attack requires authenticated access. Deploying a Web Application Firewall rule to block SQL metacharacters (UNION, SELECT, --, ;) in the 'order' parameter of content listing endpoints can reduce exploitation surface with minimal functional trade-off, as legitimate sort values are simple column names. Additionally, consider blocking or proxying direct CMS access from untrusted networks until a patch is available.

Share

CVE-2026-39229 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy