boltcms

Top products

The 15 most recently published vulnerabilities affecting boltcms.

• CVE-2025-34086Bolt CMS Authenticated Remote Code Execution via Profile Injection and File Rename8.8Jul 3, 2025
• CVE-2024-7300Bolt CMS Showcase Creation showcases cross site scripting3.5Jul 31, 2024
• CVE-2024-7299Bolt CMS Entry Preview page cross site scripting3.5Jul 31, 2024
• CVE-2022-31321The foldername parameter in Bolt 5.1.7 was discovered to have incorrect input validation, allowing attackers to perform directory enumeration or cause a Denial of Service (DoS) via a crafted input.9.1Aug 1, 2022
• CVE-2021-27367Controller/Backend/FileEditController.php and Controller/Backend/FilemanagerController.php in Bolt before 4.1.13 allow Directory Traversal.7.5Feb 17, 2021
• CVE-2020-28925Bolt before 3.7.2 does not restrict filter options in a Request in the Twig context, and is therefore inconsistent with the "How to Harden Your PHP for Better Security" guidance.5.3Dec 30, 2020
• CVE-2020-4041The filename of uploaded files vulnerable to stored XSS in Bolt CMS7.4Jun 8, 2020
• CVE-2020-4040CSRF issue on preview pages in Bolt CMS8.6Jun 8, 2020
• CVE-2019-9553Bolt 3.6.4 has XSS via the slug, teaser, or title parameter to editcontent/pages, a related issue to CVE-2017-11128 and CVE-2018-19933.6.1Dec 31, 2019
• CVE-2019-20058Bolt 3.7.0, if Symfony Web Profiler is used, allows XSS because unsanitized search?search= input is shown on the _profiler page. NOTE: this is disputed because profiling was never intended for use ...6.1Dec 29, 2019
• CVE-2019-15485Bolt before 3.6.10 has XSS via createFolder or createFile in Controller/Async/FilesystemManager.php.6.1Aug 23, 2019
• CVE-2019-15484Bolt before 3.6.10 has XSS via an image's alt or title field.6.1Aug 23, 2019
• CVE-2019-15483Bolt before 3.6.10 has XSS via a title that is mishandled in the system log.6.1Aug 23, 2019
• CVE-2019-10874Cross Site Request Forgery (CSRF) in the bolt/upload File Upload feature in Bolt CMS 3.6.6 allows remote attackers to execute arbitrary code by uploading a JavaScript file to include executable ext...8.8Apr 5, 2019
• CVE-2019-9185Controller/Async/FilesystemManager.php in the filemanager in Bolt before 3.6.5 allows remote attackers to execute arbitrary PHP code by renaming a previously uploaded file to have a .php extension.8.8Mar 7, 2019