Description
A security flaw has been discovered in bolo-blog up to 2.6.4. The affected element is an unknown function of the file /console/article/ of the component Article Title Handler. Performing a manipulation of the argument articleTitle results in cross site scripting. It is possible to initiate the attack remotely. The exploit has been released to the public and may be used for attacks. The project was informed of the problem early through an issue report but has not responded yet.
Published: 2026-03-24
Score: 4.8 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Cross‑Site Scripting
Action: Apply Patch
AI Analysis

Impact

The vulnerability permits an attacker to inject malicious script through the articleTitle parameter in the /console/article/ endpoint. The Article Title Handler processes the input without proper sanitization, leading to client‑side script execution. The flaw corresponds to CWE‑79 and indicates misuse of code evaluation mechanisms (CWE‑94). Remote exploitation is possible by sending a crafted HTTP request containing malicious JavaScript.

Affected Systems

The flaw affects bolo‑blog versions up to 2.6.4. No other vendors or products are listed. The affected component is the Article Title Handler in the /console/article/ path of the bolo‑blog platform.

Risk and Exploitability

The CVSS base score of 4.8 points to moderate severity, while the EPSS score of less than 1% implies a low probability of widespread exploitation at present. The vulnerability is not included in the CISA Known Exploited Vulnerabilities catalog. Exploitation can be performed by an attacker who sends a malformed articleTitle value to the exposed endpoint, and the resulting cross‑site scripting can be leveraged to execute arbitrary JavaScript in the victim’s browser.

Generated by OpenCVE AI on March 28, 2026 at 09:35 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply a vendor patch or upgrade bolo‑blog to a version newer than 2.6.4 when it becomes available
  • Implement server‑side input validation or encoding to reject or sanitize malicious script payloads in the articleTitle parameter
  • Deploy an application‑level firewall rule to detect or block suspicious cross‑site scripting payloads on the /console/article/ endpoint
  • Monitor web server logs for anomalous articleTitle values that may indicate exploitation attempts
  • Stay engaged with the bolo‑blog community to receive future security updates and advisories

Generated by OpenCVE AI on March 28, 2026 at 09:35 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Sat, 28 Mar 2026 03:15:00 +0000

Type Values Removed Values Added
Description A security flaw has been discovered in bolo-blog 까지 2.6.4. The affected element is an unknown function of the file /console/article/ of the component Article Title Handler. Performing a manipulation of the argument articleTitle results in cross site scripting. It is possible to initiate the attack remotely. The exploit has been released to the public and may be used for attacks. The project was informed of the problem early through an issue report but has not responded yet. A security flaw has been discovered in bolo-blog up to 2.6.4. The affected element is an unknown function of the file /console/article/ of the component Article Title Handler. Performing a manipulation of the argument articleTitle results in cross site scripting. It is possible to initiate the attack remotely. The exploit has been released to the public and may be used for attacks. The project was informed of the problem early through an issue report but has not responded yet.

Thu, 26 Mar 2026 13:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 24 Mar 2026 10:45:00 +0000

Type Values Removed Values Added
First Time appeared Bolo-blog
Bolo-blog bolo-solo
Vendors & Products Bolo-blog
Bolo-blog bolo-solo

Tue, 24 Mar 2026 02:30:00 +0000

Type Values Removed Values Added
Description A security flaw has been discovered in bolo-blog 까지 2.6.4. The affected element is an unknown function of the file /console/article/ of the component Article Title Handler. Performing a manipulation of the argument articleTitle results in cross site scripting. It is possible to initiate the attack remotely. The exploit has been released to the public and may be used for attacks. The project was informed of the problem early through an issue report but has not responded yet.
Title bolo-blog Article Title article cross site scripting
Weaknesses CWE-79
CWE-94
References
Metrics cvssV2_0

{'score': 3.3, 'vector': 'AV:N/AC:L/Au:M/C:N/I:P/A:N/E:POC/RL:ND/RC:UR'}

cvssV3_0

{'score': 2.4, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:H/UI:R/S:U/C:N/I:L/A:N/E:P/RL:X/RC:R'}

cvssV3_1

{'score': 2.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:N/I:L/A:N/E:P/RL:X/RC:R'}

cvssV4_0

{'score': 4.8, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P'}

Subscriptions

Bolo-blog Bolo-solo
cve-icon MITRE

Status: PUBLISHED

Assigner: VulDB

Published:

Updated: 2026-03-27T22:27:37.660Z

Reserved: 2026-03-23T05:53:41.459Z

Link: CVE-2026-4616

cve-icon Vulnrichment

Updated: 2026-03-26T12:26:26.118Z

cve-icon NVD

Status : Deferred

Published: 2026-03-24T01:17:02.367

Modified: 2026-04-24T16:32:53.997

Link: CVE-2026-4616

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-29T20:28:50Z

Weaknesses