CVE-2026-11511: Bolt CMS HTML Injection Vulnerability – Unsupported Software Risk
Bolt CMS versions up to 3.7.5 contain a vulnerability in how it handles HTML attributes within text fields. An authenticated attacker can manipulate the 'style' argument to inject arbitrary HTML code, potentially affecting the visual presentation or behavior of a web page. The vulnerability requires user interaction (a user must view the injected content) and authentication, limiting its immediate risk. However, because Bolt CMS is no longer actively maintained, affected organizations should plan transitions away from this platform.
Source data · NVD / CISA · public domain
- CVSS
- 3.1 · 3.5 LOW · CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N
- Weaknesses (CWE)
- CWE-74, CWE-80
- Affected products
- 0 configuration(s)
- Published / Modified
- 2026-06-08 / 2026-06-17
NVD description (verbatim)
A weakness has been identified in Bolt CMS up to 3.7.5. This vulnerability affects unknown code of the file src/Storage/Field/Type/TextType.php of the component HTML Attribute Handler. Executing a manipulation of the argument style can lead to HTML injection. It is possible to launch the attack remotely. The exploit has been made available to the public and could be used for attacks. The GitHub repository was archived by the owner and is now read-only. This vulnerability only affects products that are no longer supported by the maintainer.
5 reference(s) · View on NVD →
SEC.co analysis · AI-assisted, reviewed against source
Technical summary
The vulnerability exists in the TextType.php component's HTML Attribute Handler, which fails to properly sanitize user-supplied style arguments before rendering them in HTML output. This is classified as CWE-74 (Improper Neutralization of Special Elements) and CWE-80 (Improper Neutralization of Script-Related HTML Tags), allowing stored or reflected HTML injection. The CVSS 3.1 score of 3.5 reflects the requirement for authenticated access and user interaction, despite the network-accessible attack vector. The vulnerability does not directly enable code execution or confidentiality breaches on the server side.
Business impact
Organizations running unsupported Bolt CMS instances face increased operational risk. While the vulnerability's severity is low and requires authentication, it can be exploited to deface content, inject malicious scripts that target end users, or spread misinformation. The critical business issue is that the project is archived and no longer receives security updates, meaning future vulnerabilities will remain unpatched. This creates a long-term liability for compliance audits and customer trust, particularly for public-facing content management systems.
Affected systems
Bolt CMS versions up to and including 3.7.5 are affected. The vendor has archived the GitHub repository, indicating end-of-life status. No newer versions are available from the original maintainer. Organizations should identify all instances of Bolt CMS in their environment and assess whether any remain in production or development.
Exploitability
Public exploit code is available, lowering the barrier to proof-of-concept development. However, practical exploitation requires three conditions: (1) network access to a Bolt CMS instance, (2) valid authentication credentials, and (3) a user must view the injected content for the attack to manifest. The low CVSS score reflects these constraints. Attackers cannot directly achieve code execution or data exfiltration through this vector alone, but it is a stepping stone to more complex attack chains involving client-side exploitation.
Remediation
The fundamental remedy is migration away from Bolt CMS to an actively maintained content management system (such as WordPress with hardened plugins, Statamic, or a custom headless solution). If immediate replacement is impossible, implement network segmentation to restrict access to Bolt CMS administrators only, enforce strong password policies, and deploy a Web Application Firewall (WAF) with rules to detect and block HTML/script injection patterns in request parameters. Input validation and output encoding at the application layer would also reduce attack surface, but these cannot be implemented without patching the unmaintained codebase.
Patch guidance
No security patches are available from the original maintainers, as the project is archived and no longer supported. Verify this status with any community forks or third-party vendors who may have branched the codebase. Do not expect updates. Organizations must treat this as a sunset scenario and prioritize decommissioning or replacing affected instances within a documented timeline (recommend 6–12 months based on business criticality).
Detection guidance
Monitor access logs for authentication attempts to Bolt CMS administrators and audit successful logins for unusual patterns. Search request logs for suspicious 'style' attribute values containing script tags, event handlers (onclick, onload, etc.), or encoded payloads in URL or POST parameters targeting the TextType.php component or field input handlers. Implement file integrity monitoring on the src/Storage/Field/Type/ directory to detect unauthorized modifications. Security Information and Event Management (SIEM) queries can flag repeated HTML/script injection attempts in a short timeframe, suggesting active exploitation attempts.
Why prioritize this
Although the CVSS score is low, organizations should prioritize this issue based on maintenance status rather than raw severity. A vulnerability in unmaintained software with public exploits represents a permanent risk vector that cannot be patched. Prioritization should focus on identifying all affected instances and scheduling migrations, not on tactical patching. This is a strategic remediation decision, not an emergency.
Risk score, explained
The CVSS 3.1 score of 3.5 (LOW) reflects the authentication requirement (PR:L), user interaction requirement (UI:R), and lack of impact on confidentiality or system availability (C:N, A:N). The integrity impact is limited (I:L) because the attack affects the appearance of content rather than critical data or system control. The network-accessible attack vector (AV:N) prevents a lower score. However, the context of unsupported software and public exploits elevates operational risk beyond the numeric score; organizations should treat this as a medium-priority migration trigger rather than a low-priority patch.
Frequently asked questions
Can this vulnerability allow remote code execution or server compromise?
No. The vulnerability is limited to HTML injection in rendered output. It cannot directly execute code on the server or bypass authentication. However, injected HTML/JavaScript could target end users who view the compromised content, potentially leading to credential theft or malware distribution if combined with other attacks.
Our organization still runs Bolt CMS for an internal wiki or legacy project. How urgent is this?
Urgency depends on exposure. If the instance is isolated to a trusted internal network with limited users and strong authentication, the immediate risk is lower. However, because patches are unavailable, you should still plan a migration within 6–12 months. Document the instance's location and assign ownership for decommissioning. Do not deploy new internal systems on Bolt CMS.
Can a Web Application Firewall (WAF) fully protect us while we migrate?
A WAF can significantly reduce attack surface by blocking requests containing HTML/script injection patterns, but it is not a complete substitute for patching or migration. WAF rules may generate false positives and require ongoing tuning. Use WAF as a temporary protective layer during the migration period, not as a permanent solution.
How do I know if my Bolt CMS instance is vulnerable?
All versions up to and including 3.7.5 are vulnerable. Check your installation's version number in the admin panel or by examining the codebase. If you are running any version of Bolt CMS, assume it is vulnerable and plan a migration. No version received security patches for this issue.
This analysis is based on the published CVE record and available threat intelligence as of the publication date. CVSS scores and severity ratings reflect the official CVSS 3.1 assessment and may not account for organization-specific risk factors or threat landscape changes. Organizations should verify patch availability and compatibility against official vendor advisories before implementing any remediation. The vulnerability requires authentication and user interaction, but public exploits exist; assess your specific deployment's exposure before deprioritizing. This document does not constitute security advice for your organization and should be reviewed by qualified security personnel in context of your specific infrastructure and risk tolerance. Source: NVD (public-domain), retrieved 2026-07-15. Analysis generated by SEC.co (claude-haiku-4-5).
Related vulnerabilities
- CVE-2026-10060MEDIUMTRENDnet TEW-432BRP Command Injection—End-of-Life Router Vulnerability
- CVE-2026-10061MEDIUMTRENDnet TEW-432BRP Command Injection Vulnerability – Remediation via Replacement
- CVE-2026-10110HIGHSQL Injection in code-projects Student Details Management System 1.0
- CVE-2026-10111HIGHSQL Injection in sambitraj STUDENT-MANAGEMENT-SYSTEM 1.0 Login
- CVE-2026-10127MEDIUMEdimax BR-6478AC Command Injection in Firmware 1.23
- CVE-2026-10155MEDIUMSQL Injection in Bdtask Multi-Store Inventory Management System 1.0
- CVE-2026-10166MEDIUMEdimax BR-6478AC Command Injection – Authentication Required
- CVE-2026-10170MEDIUMSQL Injection in code-projects Visitor Management System 1.0