Description
Bootstrapy CMS contains multiple SQL injection vulnerabilities that allow unauthenticated attackers to execute arbitrary SQL queries by injecting malicious code through POST parameters. Attackers can inject SQL payloads into the thread_id parameter of forum-thread.php, the subject parameter of contact-submit.php, the post-id parameter of post-new-submit.php, and the thread-id parameter to extract sensitive database information or cause denial of service.
Published: 2026-03-24
Score: 8.8 High
EPSS: < 1% Very Low
KEV: No
Impact: Unrestricted SQL injection leading to data exposure or denial of service
Action: Immediate Patch
AI Analysis

Impact

This vulnerability allows unauthenticated attackers to inject arbitrary SQL payloads through several POST parameters in the Bootstrapy CMS forum and contact modules. By manipulating values such as thread_id, subject, post-id, and thread-id, attackers can execute arbitrary SQL statements against the underlying database, potentially extracting sensitive user data or causing a denial of service if the queries overload the database.

Affected Systems

Bootstrapy CMS is affected. The vulnerability exists in the forum-thread.php, contact-submit.php, and post-new-submit.php modules. No specific version information is provided in the report.

Risk and Exploitability

The vulnerability has a CVSS score of 8.8, indicating a high severity level. No EPSS information is available, but an exploit is publicly documented in Exploit-DB, suggesting that attackers can leverage it with relative ease. The lack of a KEV listing does not diminish the risk, as the vulnerability is fully exploitable via standard HTTP POST requests to the mentioned endpoints.

Generated by OpenCVE AI on March 24, 2026 at 12:21 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Check the Bootstrapy CMS official website or support channels for an available security patch or updated release.
  • If no patch is available, modify the affected modules to use parameterized queries or prepared statements for the thread_id, subject, post-id, and thread-id inputs.
  • Restrict access to the forum and contact submission endpoints to authenticated or trusted users if the application allows such configuration.
  • Deploy a web application firewall or intrusion prevention system configured to detect and block typical SQL injection patterns targeting the affected POST parameters.

Generated by OpenCVE AI on March 24, 2026 at 12:21 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 25 Mar 2026 12:00:00 +0000

Type Values Removed Values Added
First Time appeared Getbootstrap
Getbootstrap bootstrap
Vendors & Products Getbootstrap
Getbootstrap bootstrap

Tue, 24 Mar 2026 18:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 24 Mar 2026 11:45:00 +0000

Type Values Removed Values Added
Description Bootstrapy CMS contains multiple SQL injection vulnerabilities that allow unauthenticated attackers to execute arbitrary SQL queries by injecting malicious code through POST parameters. Attackers can inject SQL payloads into the thread_id parameter of forum-thread.php, the subject parameter of contact-submit.php, the post-id parameter of post-new-submit.php, and the thread-id parameter to extract sensitive database information or cause denial of service.
Title Bootstrapy CMS Lastest Multiple SQL Injection via Forum and Contact Modules
Weaknesses CWE-89
References
Metrics cvssV3_1

{'score': 8.2, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N'}

cvssV4_0

{'score': 8.8, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

Getbootstrap Bootstrap
cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-03-24T17:49:23.150Z

Reserved: 2026-03-24T11:04:17.766Z

Link: CVE-2019-25642

cve-icon Vulnrichment

Updated: 2026-03-24T17:49:19.093Z

cve-icon NVD

Status : Deferred

Published: 2026-03-24T12:16:06.450

Modified: 2026-05-01T15:21:32.393

Link: CVE-2019-25642

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-25T20:39:29Z

Weaknesses