Description
Bolt CMS versions 3.7.0 and earlier contain a chain of vulnerabilities that together allow an authenticated user to achieve remote code execution. A user with valid credentials can inject arbitrary PHP code into the displayname field of the user profile, which is rendered unsanitized in backend templates. The attacker can then list and rename cached session files via the /async/browse/cache/.sessions and /async/folder/rename endpoints. By renaming a .session file to a path under the publicly accessible /files/ directory with a .php extension, the attacker can turn the injected code into an executable web shell. Finally, the attacker triggers the payload via a crafted HTTP GET request to the rogue file.

NOTE: The vendor announced that Bolt 3 reached end-of-life after 31 December 2021.
Published: 2025-07-03
Score: 7.5 High
EPSS: 64.3% High
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A user possessing valid credentials in Bolt CMS 3.7.0 and earlier can inject arbitrary PHP code into the profile displayname field. That code is rendered without sanitization when the user profile is displayed in backend templates. By exploiting the /async/browse/cache/.sessions endpoint to list session files and the /async/folder/rename endpoint to rename them, the attacker can move a session file to a path under the publicly accessible /files/ directory and give it a ".php" extension. The web server then treats the renamed file as executable PHP, turning the injected code into a web shell. A crafted HTTP GET request to that rogue file activates the payload, providing the attacker with unrestricted code execution on the affected host.

Affected Systems

Bolt CMS versions 3.7.0 and earlier, provided by the Bolt:CMS vendor. The vendor has announced end-of-life for Bolt 3 as of 31 December 2021, meaning no further security support is offered for these releases.

Risk and Exploitability

The CVSS score of 7.5 indicates a high severity condition. An EPSS score of 64% suggests a significant likelihood of exploitation in the wild. The vulnerability is not listed in CISA KEV. Attackers must first authenticate to the system; once authenticated, they can follow the described path to achieve arbitrary code execution. The combination of authentication, payload injection, file manipulation, and execution in a public directory results in a powerful attack vector that poses a severe risk to confidentiality, integrity, and availability of affected installations.

Generated by OpenCVE AI on April 29, 2026 at 21:05 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Bolt CMS to version 3.7.1 or newer to remove the vulnerable code paths.
  • Reconfigure the web server or application to disallow execution of PHP files in the publicly accessible "/files/" directory, ensuring that renamed files cannot be executed.
  • Restrict or disable access to the "/async/browse/cache/.sessions" and "/async/folder/rename" endpoints so that only privileged users can list or rename session files.

Generated by OpenCVE AI on April 29, 2026 at 21:05 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-19905 Bolt CMS vulnerable to authenticated remote code execution
Github GHSA Github GHSA GHSA-p9qc-8jjx-g8cg Bolt CMS vulnerable to authenticated remote code execution
History

Wed, 19 Nov 2025 12:30:00 +0000

Type Values Removed Values Added
First Time appeared Bolt
Bolt bolt Cms
CPEs cpe:2.3:a:bolt:bolt_cms:*:*:*:*:*:*:*:*
Vendors & Products Bolt
Bolt bolt Cms

Tue, 16 Sep 2025 20:00:00 +0000

Type Values Removed Values Added
First Time appeared Boltcms
Boltcms bolt
CPEs cpe:2.3:a:boltcms:bolt:*:*:*:*:*:*:*:*
Vendors & Products Boltcms
Boltcms bolt
Metrics cvssV3_1

{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H'}

Wed, 16 Jul 2025 13:45:00 +0000

Type Values Removed Values Added
Metrics epss

{'score': 0.00926}

 epss

{'score': 0.00683}

Mon, 07 Jul 2025 19:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Thu, 03 Jul 2025 20:00:00 +0000

Type Values Removed Values Added
Description Bolt CMS versions 3.7.0 and earlier contain a chain of vulnerabilities that together allow an authenticated user to achieve remote code execution. A user with valid credentials can inject arbitrary PHP code into the displayname field of the user profile, which is rendered unsanitized in backend templates. The attacker can then list and rename cached session files via the /async/browse/cache/.sessions and /async/folder/rename endpoints. By renaming a .session file to a path under the publicly accessible /files/ directory with a .php extension, the attacker can turn the injected code into an executable web shell. Finally, the attacker triggers the payload via a crafted HTTP GET request to the rogue file. NOTE: The vendor announced that Bolt 3 reached end-of-life after 31 December 2021.
Title Bolt CMS Authenticated Remote Code Execution via Profile Injection and File Rename
Weaknesses CWE-434
CWE-94
References
Metrics cvssV4_0

{'score': 7.5, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N'}

Subscriptions

Bolt Bolt Cms
Boltcms Bolt
cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-04-07T14:09:22.487Z

Reserved: 2025-04-15T19:15:22.551Z

Link: CVE-2025-34086

cve-icon Vulnrichment

Updated: 2025-07-07T19:02:54.759Z

cve-icon NVD

Status : Analyzed

Published: 2025-07-03T20:15:22.683

Modified: 2025-09-16T19:51:00.940

Link: CVE-2025-34086

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-29T21:15:16Z

Weaknesses