CVE-2026-39229
Description
Bolt CMS through 3.7.0 allows SQL Injection in the 'order' parameter of the content listing pages. An authenticated attacker with low-level privileges can exploit this through the OrderDirective component. This allows for the extraction of sensitive information
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Authenticated SQL injection in Bolt CMS 3.7.0 order parameter allows low-privilege attackers to extract sensitive data via time-based blind injection.
Vulnerability
Bolt CMS through version 3.7.0 contains a SQL injection vulnerability in the order parameter of content overview pages (e.g., /bolt/overview/pages). The flaw resides in the Bolt/Storage/Query/Directive/OrderDirective.php file within the __invoke() method, where user-supplied input is directly appended to the QueryBuilder's orderBy() clause without sanitization or whitelisting [2]. This affects authenticated users with low privileges such as Editor roles [2]. The official description confirms the vulnerability affects Bolt CMS through 3.7.0 [1].
Exploitation
An attacker must have an authenticated session with low-level privileges (e.g., Editor) that allows access to content overview pages [2]. The attacker crafts a URL such as http://[TARGET]/bolt/overview/pages?order=id, (SELECT hex(randomblob(150000000))) and submits the request. The injected payload is executed by the database backend, causing a measurable time delay (approximately 3-4 seconds) indicative of a time-based blind SQL injection condition [2]. No special network position or additional privileges beyond the stated low-level account are required.
Impact
Successful exploitation enables the attacker to extract sensitive information from the database, including administrative password hashes [2]. Depending on the database backend, arbitrary SQL commands may be executed, potentially leading to complete database compromise [2]. The impact on confidentiality, integrity, and availability is high, as reflected by the CVSS v3.1 score of 9.8 [2].
Mitigation
Bolt CMS version 3.7.0 is confirmed affected; the vendor has not released an official patch as of the publication date 2026-05-29 [2]. The project repository notes that Bolt 5 is the current major release and recommends new projects use Bolt 5 [3]. Users of Bolt 3.x should upgrade to Bolt 5 to mitigate this vulnerability. No workaround is provided in the available references.
AI Insight generated on May 29, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2Patches
359c22d4a7ebffix ContextErrorException for select fields with multiple contenttypes and field values
2 files changed · +25 −3
choice.patch+18 −0 added@@ -0,0 +1,18 @@ +161a162 +> +163c164 +< $values[(string)$entity->getContenttype() . '/' . $id] = $entity->get($queryFields[0]); +--- +> $key = (string)$entity->getContenttype() . '/' . $id; +165c166 +< $values[$id] = $entity->get($queryFields[0]); +--- +> $key = $id; +166a168,170 +> +> $values[$key] = $entity->get($queryFields[0]); +> +168c172 +< $values[$id] .= ' / ' . $entity->get($queryFields[1]); +--- +> $values[$key] .= ' / ' . $entity->get($queryFields[1]);
src/Form/Resolver/Choice.php+7 −3 modified@@ -159,13 +159,17 @@ private function getEntityValues(Bag $field) $ctCount = count($entities->getOriginalQueries()); foreach ($entities as $entity) { $id = $entity->get($field->get('keys', 'id')); + if ($ctCount > 1) { - $values[(string)$entity->getContenttype() . '/' . $id] = $entity->get($queryFields[0]); + $key = (string)$entity->getContenttype() . '/' . $id; } else { - $values[$id] = $entity->get($queryFields[0]); + $key = $id; } + + $values[$key] = $entity->get($queryFields[0]); + if (isset($queryFields[1])) { - $values[$id] .= ' / ' . $entity->get($queryFields[1]); + $values[$key] .= ' / ' . $entity->get($queryFields[1]); } }
b2653bfbee96Proposed solution for bug #7843
1 file changed · +1 −1
src/AccessControl/Permissions.php+1 −1 modified@@ -547,7 +547,7 @@ public function isAllowed($what, $user, $content = null, $contentId = null) $this->audit($auditline); // First, let's see if we have the check in the per-request cache. - $rqCacheKey = $user['id'] . '//' . $what . '//' . $contenttypeSlug . '//' . $contentId; + $rqCacheKey = (!empty($user['id']) ? $user['id'] : '(none)') . '//' . $what . '//' . $contenttypeSlug . '//' . $contentId; if (isset($this->rqcache[$rqCacheKey])) { return $this->rqcache[$rqCacheKey]; }
e46638dc59daMerge pull request #7857 from bolt/release/3.7.1
2 files changed · +17 −3
changelog.md+16 −2 modified@@ -1,8 +1,23 @@ Changelog for Bolt 3.x ====================== + +Bolt 3.7.1 +---------- + +Released: 2020-05-07. Notable changes: + + - Security: Check CSRF on Preview page, and prevent renaming files to blacklisted filetypes [#7853](https://github.com/bolt/bolt/pull/#7853) + - Change: Add hreflang to allowed_attributes [#7855](https://github.com/bolt/bolt/pull/#7855) + - Chore: Updating dependencies [#7842](https://github.com/bolt/bolt/pull/#7842) + - Fixed: Fix tag cloud, update NPM deps [#7856](https://github.com/bolt/bolt/pull/#7856) + - Fixed: Select field with multiple contenttypes and display values results in a `ContextErrorException` [#7849](https://github.com/bolt/bolt/pull/#7849) + - Fixed: Trying to access array offset on value of type `null` with PHP 7.4 [#7843](https://github.com/bolt/bolt/pull/#7843) + +Special thanks go out [Sivanesh Ashok](https://stazot.com/) for responsibly disclosing the two fixed security issues to us. + Bolt 3.7.0 ------------ +---------- Released: 2019-11-12. Notable changes: @@ -16,7 +31,6 @@ out-of-the-box. This is most noticeable with Doctrine, our database library. If you're stuck on an older PHP version, you can keep using Bolt 3.6 for the foreseeable future. - Bolt 3.6.11 -----------
src/Version.php+1 −1 modified@@ -19,7 +19,7 @@ final class Version * Stable — 3.0.0 * Development — 3.1.0 alpha 1 */ - const VERSION = '3.7.0'; + const VERSION = '3.7.1'; /** * Whether this release is a stable one.
Vulnerability mechanics
Root cause
"Missing input validation and allow-listing on the `order` parameter allows direct injection into the QueryBuilder's `orderBy()` clause."
Attack vector
An authenticated attacker with low privileges (e.g., Editor) sends a crafted HTTP request to a content overview page such as `/bolt/overview/pages?order=id, (SELECT hex(randomblob(150000000)))`. The unsanitized `order` parameter is passed directly to the QueryBuilder's `orderBy()` method, enabling time-based blind SQL injection [ref_id=1]. The attacker can extract sensitive data, including administrative password hashes, from the `bolt_users` table.
Affected code
The vulnerability resides in `Bolt/Storage/Query/Directive/OrderDirective.php` within the `__invoke()` method. The `order` parameter from content overview pages (e.g., `/bolt/overview/pages`) is directly appended to the QueryBuilder's `orderBy()` clause without sanitization or allow-listing [ref_id=1].
What the fix does
The advisory recommends implementing strict input validation and allow-listing for the `order` parameter so that only valid column names and sort directions (e.g., ASC, DESC) are accepted. Raw user input should never be passed directly to the `orderBy()` method; instead, parameterized queries or safe ORM/DBAL abstractions should be used [ref_id=1]. No patch diff is provided in the bundle.
Preconditions
- authAttacker must have an authenticated account with low privileges (e.g., Editor) that can access content overview pages.
- configThe target must be running Bolt CMS v3.7.0 (other versions not tested).
- networkAttacker must be able to send HTTP requests to the Bolt CMS backend.
- inputThe `order` query parameter is accepted without sanitization.
Generated on May 29, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
2News mentions
0No linked articles in our index yet.