Severity by source
AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
Lifecycle Timeline
3DescriptionCVE.org
Bolt CMS through 3.7.0 allows SQL Injection in the 'order' parameter of the content listing pages. An authenticated attacker with low-level privileges can exploit this through the OrderDirective component. This allows for the extraction of sensitive information
AnalysisAI
SQL Injection in Bolt CMS through version 3.7.0 exposes sensitive database contents to any authenticated low-privilege user via the unsanitized 'order' parameter on content listing pages. The CVSS vector (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N) confirms network-exploitable, low-complexity access requiring only a low-privileged account, with full confidentiality impact but no integrity or availability impact - placing this squarely in the data-exfiltration threat category. No public exploit confirmed at time of analysis, and no vendor-released patch has been identified from available data.
Technical ContextAI
Bolt CMS is a PHP-based open-source content management system. The vulnerability resides in the OrderDirective component, which processes the 'order' GET/POST parameter used to sort content listing pages. CWE-89 (Improper Neutralization of Special Elements used in an SQL Command) indicates that user-supplied input for the sort column/direction is concatenated into a SQL query without adequate parameterization or escaping. Because ORDER BY clauses cannot be parameterized using standard prepared statement placeholders in most database drivers, developers often resort to allowlisting or manual sanitization - the absence of either here allows attackers to inject arbitrary SQL expressions. The affected codebase is available at github.com/bolt/bolt; the EUVD record EUVD-2026-33350 corroborates the NVD entry.
RemediationAI
No vendor-released patch has been identified at time of analysis - the available references do not point to a tagged release addressing this issue, only to the upstream GitHub repository and the project homepage. Operators should monitor boltcms.io and the bolt/bolt GitHub repository for a remediated release. As compensating controls, restrict CMS account creation and low-privilege role assignment to fully trusted users, since the attack requires authenticated access. Deploying a Web Application Firewall rule to block SQL metacharacters (UNION, SELECT, --, ;) in the 'order' parameter of content listing endpoints can reduce exploitation surface with minimal functional trade-off, as legitimate sort values are simple column names. Additionally, consider blocking or proxying direct CMS access from untrusted networks until a patch is available.
Same weakness CWE-89 – SQL Injection
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-33350
GHSA-j85r-p3j3-xxp2