Bolt

This hub aggregates every CVE we track for Bolt, a product in the oss libraries space. Use it to gauge the current risk picture and drill into individual advisories.

OSS Libraries

CVEs tracked

Critical

High

In CISA KEV

Severity distribution

MEDIUM12HIGH6LOW2CRITICAL1

Monthly trend

2024-072026-06

Latest CVEs

See all →

The 15 most recently published vulnerabilities affecting Bolt.

CVE-2025-34086Bolt CMS Authenticated Remote Code Execution via Profile Injection and File Rename8.8Jul 3, 2025
CVE-2024-7300Bolt CMS Showcase Creation showcases cross site scripting3.5Jul 31, 2024
CVE-2024-7299Bolt CMS Entry Preview page cross site scripting3.5Jul 31, 2024
CVE-2023-5214CVE-2023-5214 - Privilege Escalation in Puppet Bolt 6.5Oct 6, 2023
CVE-2022-31321The foldername parameter in Bolt 5.1.7 was discovered to have incorrect input validation, allowing attackers to perform directory enumeration or cause a Denial of Service (DoS) via a crafted input.9.1Aug 1, 2022
CVE-2022-2394Sensitive Parameter Exposure in Puppet Bolt prior to 3.244.1Jul 19, 2022
CVE-2021-27367Controller/Backend/FileEditController.php and Controller/Backend/FilemanagerController.php in Bolt before 4.1.13 allow Directory Traversal.7.5Feb 17, 2021
CVE-2020-28925Bolt before 3.7.2 does not restrict filter options in a Request in the Twig context, and is therefore inconsistent with the "How to Harden Your PHP for Better Security" guidance.5.3Dec 30, 2020
CVE-2020-4041The filename of uploaded files vulnerable to stored XSS in Bolt CMS7.4Jun 8, 2020
CVE-2020-4040CSRF issue on preview pages in Bolt CMS8.6Jun 8, 2020
CVE-2019-9553Bolt 3.6.4 has XSS via the slug, teaser, or title parameter to editcontent/pages, a related issue to CVE-2017-11128 and CVE-2018-19933.6.1Dec 31, 2019
CVE-2019-20058Bolt 3.7.0, if Symfony Web Profiler is used, allows XSS because unsanitized search?search= input is shown on the _profiler page. NOTE: this is disputed because profiling was never intended for use ...6.1Dec 29, 2019
CVE-2019-15485Bolt before 3.6.10 has XSS via createFolder or createFile in Controller/Async/FilesystemManager.php.6.1Aug 23, 2019
CVE-2019-15484Bolt before 3.6.10 has XSS via an image's alt or title field.6.1Aug 23, 2019
CVE-2019-15483Bolt before 3.6.10 has XSS via a title that is mishandled in the system log.6.1Aug 23, 2019

Product normalization is registry-driven with AI assist and human review. How it works