Description
A vulnerability was found in Bootstrap CMS 0.9.0-alpha. Affected is an unknown function of the file resources/views/pages/show.blade.php of the component Page Creation Handler. Performing a manipulation of the argument body results in code injection. Remote exploitation of the attack is possible. The exploit has been made public and could be used. The code repository of the project has not been active for many years. This vulnerability only affects products that are no longer supported by the maintainer.
Published: 2026-04-30
Score: 5.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability allows an attacker to inject malicious code into the Blade template used by the Page Creation Handler, specifically the file resources/views/pages/show.blade.php. By manipulating the body argument, an attacker can cause the server to execute unintended PHP code. This can lead to full compromise of the affected server, exposing confidential data, altering system integrity, and potentially shutting down services. The flaw is a direct instance of server‑side template injection, providing a clear path for remote code execution.

Affected Systems

Bootstrap CMS version 0.9.0‑alpha is the only affected release, and it is not actively maintained. The vulnerability resides in a function of the resources/views/pages/show.blade.php file within the Page Creation Handler component.

Risk and Exploitability

The CVSS score of 5.3 indicates a moderate severity. The EPSS score is not available and the vulnerability is not listed in the CISA KEV catalog. The available public exploit demonstrates that the flaw can be triggered remotely via HTTP requests. Because the product is unsupported, no official patch exists to remediate the flaw, increasing the urgency for mitigations to prevent exploitation.

Generated by OpenCVE AI on May 1, 2026 at 04:48 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Disable or remove Bootstrap CMS from your environment entirely.
  • If removal is not possible, restrict access to the HTML page rendering endpoint so that only trusted IP addresses can reach it.
  • Continuously monitor web traffic for anomalous body parameters or attempts to inject code, and block any that deviate from expected input patterns.

Generated by OpenCVE AI on May 1, 2026 at 04:48 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 01 May 2026 08:45:00 +0000

Type Values Removed Values Added
First Time appeared Bootstrap
Bootstrap cms
Vendors & Products Bootstrap
Bootstrap cms

Thu, 30 Apr 2026 23:15:00 +0000

Type Values Removed Values Added
Description A vulnerability was found in Bootstrap CMS 0.9.0-alpha. Affected is an unknown function of the file resources/views/pages/show.blade.php of the component Page Creation Handler. Performing a manipulation of the argument body results in code injection. Remote exploitation of the attack is possible. The exploit has been made public and could be used. The code repository of the project has not been active for many years. This vulnerability only affects products that are no longer supported by the maintainer.
Title Bootstrap CMS Page Creation show.blade.php code injection
Weaknesses CWE-74
CWE-94
References
Metrics cvssV2_0

{'score': 6.5, 'vector': 'AV:N/AC:L/Au:S/C:P/I:P/A:P/E:POC/RL:ND/RC:UR'}

cvssV3_0

{'score': 6.3, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R'}

cvssV3_1

{'score': 6.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R'}

cvssV4_0

{'score': 5.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P'}

Subscriptions

Bootstrap Cms
cve-icon MITRE

Status: PUBLISHED

Assigner: VulDB

Published:

Updated: 2026-04-30T22:45:14.459Z

Reserved: 2026-04-30T14:58:51.166Z

Link: CVE-2026-7508

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Deferred

Published: 2026-04-30T23:16:21.097

Modified: 2026-05-01T15:26:24.553

Link: CVE-2026-7508

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-01T08:20:59Z

Weaknesses