CVE-2026-39229NVD

Vulnerability Summary

Bolt CMS through 3.7.0 allows SQL Injection in the 'order' parameter of the content listing pages. An authenticated attacker with low-level privileges can exploit this through the OrderDirective component. This allows for the extraction of sensitive information

Severity Level

MEDIUM(6.5)

Published Date

May 29, 2026

Last Modified

May 29, 2026

Exploitation Status

UNKNOWN

Root Weakness (CWE)

CWE-89: SQL Injection ↗

Improper neutralization of special elements used in an SQL command, allowing attackers to modify queries.

EPSS Score (30-Day)

0.03%Probability

CVSS v3.1 Base Metrics

Attack VectorNetwork

Attack ComplexityLow

Privileges RequiredLow

User InteractionNone

ScopeUnchanged

ConfidentialityHigh

IntegrityNone

AvailabilityNone

External References

https://boltcms.io/
https://github.com/Tonoss-412/My-CVE/blob/main/CVE-2026-39229.md
https://github.com/bolt/bolt