{"url":"http://public2.vulnerablecode.io/api/packages/57728?format=json","purl":"pkg:composer/bolt/bolt@3.6.6","type":"composer","namespace":"bolt","name":"bolt","version":"3.6.6","qualifiers":{},"subpath":"","is_vulnerable":true,"next_non_vulnerable_version":null,"latest_non_vulnerable_version":null,"affected_by_vulnerabilities":[{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/40869?format=json","vulnerability_id":"VCID-1w3g-1bcg-9fb7","summary":"Cross-Site Request Forgery (CSRF)\nCross Site Request Forgery (CSRF) in the `bolt/upload` File Upload feature in Bolt CMS allows remote attackers to execute arbitrary code by uploading a JavaScript file to include executable extensions in the `file/edit/config/config.yml` configuration file.","references":[{"reference_url":"http://packetstormsecurity.com/files/152429/Bolt-CMS-3.6.6-Cross-Site-Request-Forgery-Code-Execution.html","reference_id":"","reference_type":"","scores":[{"value":"8.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"http://packetstormsecurity.com/files/152429/Bolt-CMS-3.6.6-Cross-Site-Request-Forgery-Code-Execution.html"},{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2019-10874","reference_id":"","reference_type":"","scores":[{"value":"0.00389","scoring_system":"epss","scoring_elements":"0.60359","published_at":"2026-06-05T12:55:00Z"},{"value":"0.00389","scoring_system":"epss","scoring_elements":"0.60361","published_at":"2026-06-06T12:55:00Z"},{"value":"0.00389","scoring_system":"epss","scoring_elements":"0.60312","published_at":"2026-06-04T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2019-10874"},{"reference_url":"https://fgsec.net/from-csrf-to-rce-bolt-cms","reference_id":"","reference_type":"","scores":[{"value":"8.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://fgsec.net/from-csrf-to-rce-bolt-cms"},{"reference_url":"https://github.com/bolt/bolt","reference_id":"","reference_type":"","scores":[{"value":"8.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/bolt/bolt"},{"reference_url":"https://github.com/bolt/bolt/pull/7768/commits/91187aef36363a870d60b0a3c1bf8507af34c9e4","reference_id":"","reference_type":"","scores":[{"value":"8.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/bolt/bolt/pull/7768/commits/91187aef36363a870d60b0a3c1bf8507af34c9e4"},{"reference_url":"https://www.exploit-db.com/exploits/46664","reference_id":"","reference_type":"","scores":[{"value":"8.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://www.exploit-db.com/exploits/46664"},{"reference_url":"https://www.exploit-db.com/exploits/46664/","reference_id":"","reference_type":"","scores":[],"url":"https://www.exploit-db.com/exploits/46664/"},{"reference_url":"https://gitlab.com/exploit-database/exploitdb/-/blob/main/exploits/php/webapps/46664.html","reference_id":"CVE-2019-10874","reference_type":"exploit","scores":[],"url":"https://gitlab.com/exploit-database/exploitdb/-/blob/main/exploits/php/webapps/46664.html"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2019-10874","reference_id":"CVE-2019-10874","reference_type":"","scores":[{"value":"8.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2019-10874"},{"reference_url":"https://github.com/advisories/GHSA-3g6c-88pf-m46f","reference_id":"GHSA-3g6c-88pf-m46f","reference_type":"","scores":[{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-3g6c-88pf-m46f"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/57729?format=json","purl":"pkg:composer/bolt/bolt@3.6.7","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-66gv-4k2x-5bgp"},{"vulnerability":"VCID-6nxv-q8hv-rkbt"},{"vulnerability":"VCID-dj4e-fqt2-r3ap"},{"vulnerability":"VCID-juxv-sxxr-s3d8"},{"vulnerability":"VCID-m63y-x2d4-9ya4"},{"vulnerability":"VCID-mdzj-jtgu-zycy"},{"vulnerability":"VCID-mt2z-nyas-5qer"},{"vulnerability":"VCID-u9hk-ce69-83gw"},{"vulnerability":"VCID-uyas-urd2-puaz"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/bolt/bolt@3.6.7"}],"aliases":["CVE-2019-10874","GHSA-3g6c-88pf-m46f"],"risk_score":10.0,"exploitability":"2.0","weighted_severity":"8.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-1w3g-1bcg-9fb7"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/54442?format=json","vulnerability_id":"VCID-66gv-4k2x-5bgp","summary":"OS Command injection in Bolt\nBolt before 3.7.2 does not restrict filter options in a Request in the Twig context, and is therefore inconsistent with the \"How to Harden Your PHP for Better Security\" guidance.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2020-28925","reference_id":"","reference_type":"","scores":[{"value":"0.00344","scoring_system":"epss","scoring_elements":"0.57248","published_at":"2026-06-04T12:55:00Z"},{"value":"0.00344","scoring_system":"epss","scoring_elements":"0.57307","published_at":"2026-06-06T12:55:00Z"},{"value":"0.00344","scoring_system":"epss","scoring_elements":"0.57299","published_at":"2026-06-05T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2020-28925"},{"reference_url":"https://github.com/bolt/bolt/commit/c0cd530e78c2a8c6d71ceb75b10c251b39fb923a","reference_id":"","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/bolt/bolt/commit/c0cd530e78c2a8c6d71ceb75b10c251b39fb923a"},{"reference_url":"https://github.com/bolt/bolt/compare/3.7.1...3.7.2","reference_id":"","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/bolt/bolt/compare/3.7.1...3.7.2"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2020-28925","reference_id":"CVE-2020-28925","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2020-28925"},{"reference_url":"https://github.com/advisories/GHSA-w8cj-mvf9-mpc9","reference_id":"GHSA-w8cj-mvf9-mpc9","reference_type":"","scores":[],"url":"https://github.com/advisories/GHSA-w8cj-mvf9-mpc9"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/80639?format=json","purl":"pkg:composer/bolt/bolt@3.7.2","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-mt2z-nyas-5qer"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/bolt/bolt@3.7.2"}],"aliases":["CVE-2020-28925","GHSA-w8cj-mvf9-mpc9"],"risk_score":3.1,"exploitability":"0.5","weighted_severity":"6.2","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-66gv-4k2x-5bgp"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/55607?format=json","vulnerability_id":"VCID-6nxv-q8hv-rkbt","summary":"Bolt CMS Cross-site Scripting vulnerability\n** UNSUPPORTED WHEN ASSIGNED ** A vulnerability classified as problematic has been found in Bolt CMS 3.7.1. Affected is an unknown function of the file /bolt/editcontent/showcases of the component Showcase Creation Handler. The manipulation of the argument textarea leads to cross site scripting. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. The identifier of this vulnerability is VDB-273168. NOTE: This vulnerability only affects products that are no longer supported by the maintainer. NOTE: Vendor was contacted early and confirmed that the affected release tree is end-of-life.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2024-7300","reference_id":"","reference_type":"","scores":[{"value":"0.00127","scoring_system":"epss","scoring_elements":"0.31531","published_at":"2026-06-06T12:55:00Z"},{"value":"0.00127","scoring_system":"epss","scoring_elements":"0.31567","published_at":"2026-06-05T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2024-7300"},{"reference_url":"https://github.com/bolt/bolt","reference_id":"","reference_type":"","scores":[{"value":"3.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N"},{"value":"5.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/bolt/bolt"},{"reference_url":"https://vuldb.com/?ctiid.273168","reference_id":"","reference_type":"","scores":[{"value":"4","scoring_system":"cvssv2","scoring_elements":"AV:N/AC:L/Au:S/C:N/I:P/A:N"},{"value":"3.5","scoring_system":"cvssv3","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N"},{"value":"3.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N"},{"value":"5.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X"},{"value":"5.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2024-07-31T13:21:55Z/"}],"url":"https://vuldb.com/?ctiid.273168"},{"reference_url":"https://vuldb.com/?id.273168","reference_id":"","reference_type":"","scores":[{"value":"4","scoring_system":"cvssv2","scoring_elements":"AV:N/AC:L/Au:S/C:N/I:P/A:N"},{"value":"3.5","scoring_system":"cvssv3","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N"},{"value":"3.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N"},{"value":"5.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N"},{"value":"5.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2024-07-31T13:21:55Z/"}],"url":"https://vuldb.com/?id.273168"},{"reference_url":"https://vuldb.com/?submit.380678","reference_id":"","reference_type":"","scores":[{"value":"4","scoring_system":"cvssv2","scoring_elements":"AV:N/AC:L/Au:S/C:N/I:P/A:N"},{"value":"3.5","scoring_system":"cvssv3","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N"},{"value":"3.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N"},{"value":"5.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X"},{"value":"5.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2024-07-31T13:21:55Z/"}],"url":"https://vuldb.com/?submit.380678"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2024-7300","reference_id":"CVE-2024-7300","reference_type":"","scores":[{"value":"3.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N"},{"value":"5.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2024-7300"},{"reference_url":"https://github.com/advisories/GHSA-xhqw-4hcq-fcvr","reference_id":"GHSA-xhqw-4hcq-fcvr","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-xhqw-4hcq-fcvr"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/80639?format=json","purl":"pkg:composer/bolt/bolt@3.7.2","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-mt2z-nyas-5qer"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/bolt/bolt@3.7.2"}],"aliases":["CVE-2024-7300","GHSA-xhqw-4hcq-fcvr"],"risk_score":3.1,"exploitability":"0.5","weighted_severity":"6.2","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-6nxv-q8hv-rkbt"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/51766?format=json","vulnerability_id":"VCID-dj4e-fqt2-r3ap","summary":"Cross-site Scripting\nBolt has XSS via an image's alt or title field.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2019-15484","reference_id":"","reference_type":"","scores":[{"value":"0.00305","scoring_system":"epss","scoring_elements":"0.54035","published_at":"2026-06-04T12:55:00Z"},{"value":"0.00305","scoring_system":"epss","scoring_elements":"0.54099","published_at":"2026-06-06T12:55:00Z"},{"value":"0.00305","scoring_system":"epss","scoring_elements":"0.54091","published_at":"2026-06-05T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2019-15484"},{"reference_url":"https://github.com/bolt/bolt","reference_id":"","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/bolt/bolt"},{"reference_url":"https://github.com/bolt/bolt/pull/7801","reference_id":"","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/bolt/bolt/pull/7801"},{"reference_url":"https://github.com/bolt/bolt/releases/tag/v3.6.10","reference_id":"","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/bolt/bolt/releases/tag/v3.6.10"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2019-15484","reference_id":"CVE-2019-15484","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2019-15484"},{"reference_url":"https://github.com/advisories/GHSA-fp8m-xw3f-6h7x","reference_id":"GHSA-fp8m-xw3f-6h7x","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-fp8m-xw3f-6h7x"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/75892?format=json","purl":"pkg:composer/bolt/bolt@3.6.10","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-66gv-4k2x-5bgp"},{"vulnerability":"VCID-6nxv-q8hv-rkbt"},{"vulnerability":"VCID-juxv-sxxr-s3d8"},{"vulnerability":"VCID-m63y-x2d4-9ya4"},{"vulnerability":"VCID-mdzj-jtgu-zycy"},{"vulnerability":"VCID-mt2z-nyas-5qer"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/bolt/bolt@3.6.10"}],"aliases":["CVE-2019-15484","GHSA-fp8m-xw3f-6h7x"],"risk_score":3.1,"exploitability":"0.5","weighted_severity":"6.2","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-dj4e-fqt2-r3ap"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/52683?format=json","vulnerability_id":"VCID-juxv-sxxr-s3d8","summary":"Cross-site Scripting\nIn Bolt CMS, the filename of uploaded files was vulnerable to stored XSS. It is not possible to inject javascript code in the file name when creating/uploading the file. But, once created/uploaded, it can be renamed to inject the payload in it. Additionally, the measures to prevent renaming the file to disallowed filename extensions could be circumvented.","references":[{"reference_url":"http://packetstormsecurity.com/files/158299/Bolt-CMS-3.7.0-XSS-CSRF-Shell-Upload.html","reference_id":"","reference_type":"","scores":[{"value":"7.4","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:H/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"http://packetstormsecurity.com/files/158299/Bolt-CMS-3.7.0-XSS-CSRF-Shell-Upload.html"},{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2020-4041","reference_id":"","reference_type":"","scores":[{"value":"0.00444","scoring_system":"epss","scoring_elements":"0.6368","published_at":"2026-06-04T12:55:00Z"},{"value":"0.00444","scoring_system":"epss","scoring_elements":"0.63729","published_at":"2026-06-06T12:55:00Z"},{"value":"0.00444","scoring_system":"epss","scoring_elements":"0.63722","published_at":"2026-06-05T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2020-4041"},{"reference_url":"http://seclists.org/fulldisclosure/2020/Jul/4","reference_id":"","reference_type":"","scores":[{"value":"7.4","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:H/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"http://seclists.org/fulldisclosure/2020/Jul/4"},{"reference_url":"https://github.com/bolt/bolt","reference_id":"","reference_type":"","scores":[{"value":"7.4","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:H/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/bolt/bolt"},{"reference_url":"https://github.com/bolt/bolt/commit/b42cbfcf3e3108c46a80581216ba03ef449e419f","reference_id":"","reference_type":"","scores":[{"value":"7.4","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:H/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/bolt/bolt/commit/b42cbfcf3e3108c46a80581216ba03ef449e419f"},{"reference_url":"https://github.com/bolt/bolt/pull/7853","reference_id":"","reference_type":"","scores":[{"value":"7.4","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:H/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/bolt/bolt/pull/7853"},{"reference_url":"https://github.com/bolt/bolt/security/advisories/GHSA-68q3-7wjp-7q3j","reference_id":"","reference_type":"","scores":[{"value":"7.4","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:H/A:N"},{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/bolt/bolt/security/advisories/GHSA-68q3-7wjp-7q3j"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2020-4041","reference_id":"CVE-2020-4041","reference_type":"","scores":[{"value":"7.4","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:H/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2020-4041"},{"reference_url":"https://github.com/advisories/GHSA-68q3-7wjp-7q3j","reference_id":"GHSA-68q3-7wjp-7q3j","reference_type":"","scores":[{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-68q3-7wjp-7q3j"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/77473?format=json","purl":"pkg:composer/bolt/bolt@3.7.1","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-66gv-4k2x-5bgp"},{"vulnerability":"VCID-6nxv-q8hv-rkbt"},{"vulnerability":"VCID-mt2z-nyas-5qer"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/bolt/bolt@3.7.1"}],"aliases":["CVE-2020-4041","GHSA-68q3-7wjp-7q3j"],"risk_score":4.0,"exploitability":"0.5","weighted_severity":"8.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-juxv-sxxr-s3d8"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/52685?format=json","vulnerability_id":"VCID-m63y-x2d4-9ya4","summary":"Cross-Site Request Forgery (CSRF)\nBolt CMS lacks CSRF protection in the preview generating endpoint. Previews are intended to be generated by the admins, developers, chief-editors, and editors, who are authorized to create content in the application. But due to lack of proper CSRF protection, unauthorized users could generate a preview.","references":[{"reference_url":"http://packetstormsecurity.com/files/158299/Bolt-CMS-3.7.0-XSS-CSRF-Shell-Upload.html","reference_id":"","reference_type":"","scores":[{"value":"8.6","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"http://packetstormsecurity.com/files/158299/Bolt-CMS-3.7.0-XSS-CSRF-Shell-Upload.html"},{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2020-4040","reference_id":"","reference_type":"","scores":[{"value":"0.00674","scoring_system":"epss","scoring_elements":"0.71881","published_at":"2026-06-05T12:55:00Z"},{"value":"0.00674","scoring_system":"epss","scoring_elements":"0.71842","published_at":"2026-06-04T12:55:00Z"},{"value":"0.00674","scoring_system":"epss","scoring_elements":"0.71887","published_at":"2026-06-06T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2020-4040"},{"reference_url":"http://seclists.org/fulldisclosure/2020/Jul/4","reference_id":"","reference_type":"","scores":[{"value":"8.6","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"http://seclists.org/fulldisclosure/2020/Jul/4"},{"reference_url":"https://github.com/bolt/bolt","reference_id":"","reference_type":"","scores":[{"value":"8.6","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/bolt/bolt"},{"reference_url":"https://github.com/bolt/bolt/commit/b42cbfcf3e3108c46a80581216ba03ef449e419f","reference_id":"","reference_type":"","scores":[{"value":"8.6","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/bolt/bolt/commit/b42cbfcf3e3108c46a80581216ba03ef449e419f"},{"reference_url":"https://github.com/bolt/bolt/pull/7853","reference_id":"","reference_type":"","scores":[{"value":"8.6","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/bolt/bolt/pull/7853"},{"reference_url":"https://github.com/bolt/bolt/security/advisories/GHSA-2q66-6cc3-6xm8","reference_id":"","reference_type":"","scores":[{"value":"8.6","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N"},{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/bolt/bolt/security/advisories/GHSA-2q66-6cc3-6xm8"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2020-4040","reference_id":"CVE-2020-4040","reference_type":"","scores":[{"value":"8.6","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2020-4040"},{"reference_url":"https://github.com/advisories/GHSA-2q66-6cc3-6xm8","reference_id":"GHSA-2q66-6cc3-6xm8","reference_type":"","scores":[{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-2q66-6cc3-6xm8"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/77473?format=json","purl":"pkg:composer/bolt/bolt@3.7.1","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-66gv-4k2x-5bgp"},{"vulnerability":"VCID-6nxv-q8hv-rkbt"},{"vulnerability":"VCID-mt2z-nyas-5qer"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/bolt/bolt@3.7.1"}],"aliases":["CVE-2020-4040","GHSA-2q66-6cc3-6xm8"],"risk_score":4.0,"exploitability":"0.5","weighted_severity":"8.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-m63y-x2d4-9ya4"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/57571?format=json","vulnerability_id":"VCID-mdzj-jtgu-zycy","summary":"Bolt CMS vulnerable to authenticated remote code execution\nBolt CMS versions 3.7.0 and earlier contain a chain of vulnerabilities that together allow an authenticated user to achieve remote code execution. A user with valid credentials can inject arbitrary PHP code into the displayname field of the user profile, which is rendered unsanitized in backend templates. The attacker can then list and rename cached session files via the /async/browse/cache/.sessions and /async/folder/rename endpoints. By renaming a .session file to a path under the publicly accessible /files/ directory with a .php extension, the attacker can turn the injected code into an executable web shell. Finally, the attacker triggers the payload via a crafted HTTP GET request to the rogue file.\n\nNOTE: The vendor announced that Bolt 3 reached end-of-life after 31 December 2021.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2025-34086","reference_id":"","reference_type":"","scores":[{"value":"0.67402","scoring_system":"epss","scoring_elements":"0.98587","published_at":"2026-06-06T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2025-34086"},{"reference_url":"https://boltcms.io/newsitem/major-announcements-bolt-3-eol-bolt-4-2-5-0-releases","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:Y/T:T/P:M/B:A/M:M/D:T/2025-07-07T19:02:46Z/"}],"url":"https://boltcms.io/newsitem/major-announcements-bolt-3-eol-bolt-4-2-5-0-releases"},{"reference_url":"https://github.com/bolt/bolt","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:Y/T:T/P:M/B:A/M:M/D:T/2025-07-07T19:02:46Z/"}],"url":"https://github.com/bolt/bolt"},{"reference_url":"https://github.com/bolt/bolt/blob/3.7/src/Controller/Backend/Users.php#L279-L311","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/bolt/bolt/blob/3.7/src/Controller/Backend/Users.php#L279-L311"},{"reference_url":"https://github.com/bolt/bolt/releases/tag/3.7.1","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:Y/T:T/P:M/B:A/M:M/D:T/2025-07-07T19:02:46Z/"}],"url":"https://github.com/bolt/bolt/releases/tag/3.7.1"},{"reference_url":"https://raw.githubusercontent.com/rapid7/metasploit-framework/master/modules/exploits/unix/webapp/bolt_authenticated_rce.rb","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:Y/T:T/P:M/B:A/M:M/D:T/2025-07-07T19:02:46Z/"}],"url":"https://raw.githubusercontent.com/rapid7/metasploit-framework/master/modules/exploits/unix/webapp/bolt_authenticated_rce.rb"},{"reference_url":"https://www.exploit-db.com/exploits/48296","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:Y/T:T/P:M/B:A/M:M/D:T/2025-07-07T19:02:46Z/"}],"url":"https://www.exploit-db.com/exploits/48296"},{"reference_url":"https://www.rapid7.com/db/modules/exploit/unix/webapp/bolt_authenticated_rce","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://www.rapid7.com/db/modules/exploit/unix/webapp/bolt_authenticated_rce"},{"reference_url":"https://www.rapid7.com/db/modules/exploit/unix/webapp/bolt_authenticated_rce/","reference_id":"bolt_authenticated_rce","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N"},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:Y/T:T/P:M/B:A/M:M/D:T/2025-07-07T19:02:46Z/"}],"url":"https://www.rapid7.com/db/modules/exploit/unix/webapp/bolt_authenticated_rce/"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2025-34086","reference_id":"CVE-2025-34086","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2025-34086"},{"reference_url":"https://github.com/advisories/GHSA-p9qc-8jjx-g8cg","reference_id":"GHSA-p9qc-8jjx-g8cg","reference_type":"","scores":[],"url":"https://github.com/advisories/GHSA-p9qc-8jjx-g8cg"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/77473?format=json","purl":"pkg:composer/bolt/bolt@3.7.1","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-66gv-4k2x-5bgp"},{"vulnerability":"VCID-6nxv-q8hv-rkbt"},{"vulnerability":"VCID-mt2z-nyas-5qer"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/bolt/bolt@3.7.1"}],"aliases":["CVE-2025-34086","GHSA-p9qc-8jjx-g8cg"],"risk_score":10.0,"exploitability":"2.0","weighted_severity":"8.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-mdzj-jtgu-zycy"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/42880?format=json","vulnerability_id":"VCID-mt2z-nyas-5qer","summary":"Improper Control of Generation of Code ('Code Injection')\nBolt CMS <= 4.2 is vulnerable to Remote Code Execution. Unsafe theme rendering allows an authenticated attacker to edit theme to inject server-side template injection that leads to remote code execution.","references":[{"reference_url":"http://boltcms.com","reference_id":"","reference_type":"","scores":[{"value":"8.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"http://boltcms.com"},{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2021-40219","reference_id":"","reference_type":"","scores":[{"value":"0.05034","scoring_system":"epss","scoring_elements":"0.89934","published_at":"2026-06-05T12:55:00Z"},{"value":"0.05034","scoring_system":"epss","scoring_elements":"0.89935","published_at":"2026-06-06T12:55:00Z"},{"value":"0.05034","scoring_system":"epss","scoring_elements":"0.89918","published_at":"2026-06-04T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2021-40219"},{"reference_url":"https://github.com/bolt/core","reference_id":"","reference_type":"","scores":[{"value":"8.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/bolt/core"},{"reference_url":"https://github.com/bolt/core/blob/3b21a73ebf519b76756d3ad2841312d10ef11461/src/Controller/Frontend/TemplateController.php","reference_id":"","reference_type":"","scores":[{"value":"8.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/bolt/core/blob/3b21a73ebf519b76756d3ad2841312d10ef11461/src/Controller/Frontend/TemplateController.php"},{"reference_url":"https://github.com/iiSiLvEr/CVEs/tree/main/CVE-2021-40219","reference_id":"CVE-2021-40219","reference_type":"","scores":[{"value":"8.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/iiSiLvEr/CVEs/tree/main/CVE-2021-40219"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2021-40219","reference_id":"CVE-2021-40219","reference_type":"","scores":[{"value":"8.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2021-40219"},{"reference_url":"https://github.com/advisories/GHSA-gprh-7767-cw39","reference_id":"GHSA-gprh-7767-cw39","reference_type":"","scores":[{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-gprh-7767-cw39"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/61313?format=json","purl":"pkg:composer/bolt/bolt@4.2.1","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/bolt/bolt@4.2.1"}],"aliases":["CVE-2021-40219","GHSA-gprh-7767-cw39"],"risk_score":4.0,"exploitability":"0.5","weighted_severity":"8.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-mt2z-nyas-5qer"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/51765?format=json","vulnerability_id":"VCID-u9hk-ce69-83gw","summary":"Cross-site Scripting\nBolt is vulnerable to XSS via `createFolder` or `createFile` in `Controller/Async/FilesystemManager.php`.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2019-15485","reference_id":"","reference_type":"","scores":[{"value":"0.00305","scoring_system":"epss","scoring_elements":"0.54091","published_at":"2026-06-05T12:55:00Z"},{"value":"0.00305","scoring_system":"epss","scoring_elements":"0.54099","published_at":"2026-06-06T12:55:00Z"},{"value":"0.00305","scoring_system":"epss","scoring_elements":"0.54035","published_at":"2026-06-04T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2019-15485"},{"reference_url":"https://github.com/bolt/bolt/pull/7800","reference_id":"","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/bolt/bolt/pull/7800"},{"reference_url":"https://github.com/bolt/bolt/releases/tag/v3.6.10","reference_id":"","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/bolt/bolt/releases/tag/v3.6.10"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2019-15485","reference_id":"CVE-2019-15485","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2019-15485"},{"reference_url":"https://github.com/advisories/GHSA-cj8p-53v9-2c26","reference_id":"GHSA-cj8p-53v9-2c26","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-cj8p-53v9-2c26"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/75892?format=json","purl":"pkg:composer/bolt/bolt@3.6.10","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-66gv-4k2x-5bgp"},{"vulnerability":"VCID-6nxv-q8hv-rkbt"},{"vulnerability":"VCID-juxv-sxxr-s3d8"},{"vulnerability":"VCID-m63y-x2d4-9ya4"},{"vulnerability":"VCID-mdzj-jtgu-zycy"},{"vulnerability":"VCID-mt2z-nyas-5qer"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/bolt/bolt@3.6.10"}],"aliases":["CVE-2019-15485","GHSA-cj8p-53v9-2c26"],"risk_score":3.1,"exploitability":"0.5","weighted_severity":"6.2","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-u9hk-ce69-83gw"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/51769?format=json","vulnerability_id":"VCID-uyas-urd2-puaz","summary":"Cross-site Scripting\nBolt is vulnerable to XSS via a title that is mishandled in the system log.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2019-15483","reference_id":"","reference_type":"","scores":[{"value":"0.00223","scoring_system":"epss","scoring_elements":"0.45035","published_at":"2026-06-04T12:55:00Z"},{"value":"0.00223","scoring_system":"epss","scoring_elements":"0.45108","published_at":"2026-06-06T12:55:00Z"},{"value":"0.00223","scoring_system":"epss","scoring_elements":"0.45103","published_at":"2026-06-05T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2019-15483"},{"reference_url":"https://github.com/bolt/bolt","reference_id":"","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/bolt/bolt"},{"reference_url":"https://github.com/bolt/bolt/pull/7802","reference_id":"","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/bolt/bolt/pull/7802"},{"reference_url":"https://github.com/bolt/bolt/releases/tag/v3.6.10","reference_id":"","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/bolt/bolt/releases/tag/v3.6.10"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2019-15483","reference_id":"CVE-2019-15483","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2019-15483"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/75892?format=json","purl":"pkg:composer/bolt/bolt@3.6.10","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-66gv-4k2x-5bgp"},{"vulnerability":"VCID-6nxv-q8hv-rkbt"},{"vulnerability":"VCID-juxv-sxxr-s3d8"},{"vulnerability":"VCID-m63y-x2d4-9ya4"},{"vulnerability":"VCID-mdzj-jtgu-zycy"},{"vulnerability":"VCID-mt2z-nyas-5qer"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/bolt/bolt@3.6.10"}],"aliases":["CVE-2019-15483","GHSA-ph84-vg7q-fqq8"],"risk_score":3.1,"exploitability":"0.5","weighted_severity":"6.2","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-uyas-urd2-puaz"}],"fixing_vulnerabilities":[],"risk_score":"10.0","resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/bolt/bolt@3.6.6"}