CVE-2026-39229
SQL Injection in Bolt CMS via Order Directive
Publication date: 2026-05-29
Last updated on: 2026-05-29
Assigner: MITRE
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| bolt_cms | bolt_cms | to 3.7.0 (inc) |
| bolt | cms | to 3.7.0 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-UNKNOWN |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-39229 is a Blind SQL Injection vulnerability in Bolt CMS version 3.7.0. It occurs in the OrderDirective component, specifically in the __invoke() method, where the 'order' parameter used in content listing pages is not properly sanitized.
An authenticated attacker with low-level privileges, such as an Editor, can exploit this vulnerability by injecting malicious SQL commands through the 'order' parameter. This allows the attacker to manipulate the SQL query's orderBy() clause, leading to unauthorized extraction of sensitive information from the database.
How can this vulnerability impact me? :
This vulnerability can have severe impacts including unauthorized data extraction from the database. An attacker can retrieve sensitive information such as administrative password hashes.
Exploitation of this vulnerability can potentially lead to a full database compromise, allowing attackers to access, modify, or delete critical data.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by monitoring and analyzing requests to the Bolt CMS content listing pages, specifically looking for unusual or malicious input in the 'order' parameter.
Since the vulnerability involves SQL Injection via the 'order' parameter, you can detect exploitation attempts by inspecting web server logs or using web application firewalls (WAF) to flag suspicious SQL keywords or patterns in this parameter.
For direct detection on the system, you can use database query logs to identify unusual or unexpected queries involving the ORDER BY clause.
Suggested commands include:
- Using grep to find suspicious 'order' parameter usage in web server logs: grep -i 'order=' /var/log/apache2/access.log
- Using SQL query log inspection to find suspicious ORDER BY clauses: grep -i 'order by' /path/to/database/query.log
- Using a web vulnerability scanner or SQL injection detection tool against the content listing pages (e.g., /bolt/overview/pages) to test the 'order' parameter.
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include implementing strict input validation and allow-listing for the 'order' parameter to prevent injection of arbitrary SQL commands.
Avoid using direct user input in the orderBy() method of the QueryBuilder without sanitization.
Use parameterized queries or ORM/DBAL abstractions to safely handle user input.
Additionally, restrict access to the Bolt CMS content listing pages to trusted authenticated users only, and monitor logs for suspicious activity.
Consider upgrading to a newer, supported version of Bolt CMS if available, as Bolt 3.7.0 is vulnerable and the project is archived.