CVE-2026-39229

Deferred Deferred - Pending Action

SQL Injection in Bolt CMS via Order Directive

Publication date: 2026-05-29

Last updated on: 2026-05-29

Assigner: MITRE

Description

Bolt CMS through 3.7.0 allows SQL Injection in the 'order' parameter of the content listing pages. An authenticated attacker with low-level privileges can exploit this through the OrderDirective component. This allows for the extraction of sensitive information

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published

2026-05-29

Last Modified

2026-05-29

Generated

2026-06-19

AI Q&A

2026-05-29

EPSS Evaluated

2026-06-18

NVD

CVE-2026-39229

EUVD

EUVD-2026-33350

Affected Vendors & Products

Vendor	Product	Version / Range
bolt_cms	bolt_cms	to 3.7.0 (inc)
bolt	cms	to 3.7.0 (inc)

Helpful Resources

Exploitability

CWE

KEV

CWE ID	Description
CWE-89	The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data.

CWE ID

Description

CWE-89

The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data.

Attack-Flow Graph

Executive Summary

CVE-2026-39229 is a Blind SQL Injection vulnerability in Bolt CMS version 3.7.0. It occurs in the OrderDirective component, specifically in the __invoke() method, where the 'order' parameter used in content listing pages is not properly sanitized.

An authenticated attacker with low-level privileges, such as an Editor, can exploit this vulnerability by injecting malicious SQL commands through the 'order' parameter. This allows the attacker to manipulate the SQL query's orderBy() clause, leading to unauthorized extraction of sensitive information from the database.

Impact Analysis

This vulnerability can have severe impacts including unauthorized data extraction from the database. An attacker can retrieve sensitive information such as administrative password hashes.

Exploitation of this vulnerability can potentially lead to a full database compromise, allowing attackers to access, modify, or delete critical data.

Detection Guidance

This vulnerability can be detected by monitoring and analyzing requests to the Bolt CMS content listing pages, specifically looking for unusual or malicious input in the 'order' parameter.

Since the vulnerability involves SQL Injection via the 'order' parameter, you can detect exploitation attempts by inspecting web server logs or using web application firewalls (WAF) to flag suspicious SQL keywords or patterns in this parameter.

For direct detection on the system, you can use database query logs to identify unusual or unexpected queries involving the ORDER BY clause.

Suggested commands include:

Using grep to find suspicious 'order' parameter usage in web server logs: grep -i 'order=' /var/log/apache2/access.log
Using SQL query log inspection to find suspicious ORDER BY clauses: grep -i 'order by' /path/to/database/query.log
Using a web vulnerability scanner or SQL injection detection tool against the content listing pages (e.g., /bolt/overview/pages) to test the 'order' parameter.

Mitigation Strategies

Immediate mitigation steps include implementing strict input validation and allow-listing for the 'order' parameter to prevent injection of arbitrary SQL commands.

Avoid using direct user input in the orderBy() method of the QueryBuilder without sanitization.

Use parameterized queries or ORM/DBAL abstractions to safely handle user input.

Additionally, restrict access to the Bolt CMS content listing pages to trusted authenticated users only, and monitor logs for suspicious activity.

Consider upgrading to a newer, supported version of Bolt CMS if available, as Bolt 3.7.0 is vulnerable and the project is archived.

Compliance Impact

The vulnerability in Bolt CMS 3.7.0 allows an authenticated attacker with low-level privileges to perform SQL Injection via the 'order' parameter, potentially extracting sensitive information including administrative password hashes and possibly compromising the entire database.

Such unauthorized data extraction and database compromise can lead to violations of data protection regulations like GDPR and HIPAA, which require the protection of sensitive personal and health information against unauthorized access and breaches.

Therefore, exploitation of this vulnerability could result in non-compliance with these standards due to the exposure of sensitive data and failure to maintain adequate security controls.

Hi! I’m here to help you understand CVE-2026-39229. Ask me anything about the vulnerability, its impact, or mitigation strategies.

0/70

CVE-2026-39229

SQL Injection in Bolt CMS via Order Directive

Description

CVSS Scores

EPSS Scores

Meta Information

Affected Vendors & Products

Helpful Resources

Exploitability

Attack-Flow Graph

AI Quick Actions

Chat Assistant

EPSS Chart