CVE-2026-11511
Deferred Deferred - Pending Action
HTML Injection in Bolt CMS

Publication date: 2026-06-08

Last updated on: 2026-06-08

Assigner: VulDB

Description
A weakness has been identified in Bolt CMS up to 3.7.5. This vulnerability affects unknown code of the file src/Storage/Field/Type/TextType.php of the component HTML Attribute Handler. Executing a manipulation of the argument style can lead to HTML injection. It is possible to launch the attack remotely. The exploit has been made available to the public and could be used for attacks. The GitHub repository was archived by the owner and is now read-only. This vulnerability only affects products that are no longer supported by the maintainer.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-08
Last Modified
2026-06-08
Generated
2026-06-08
AI Q&A
2026-06-08
EPSS Evaluated
N/A
NVD
CVE-2026-11511
EUVD
EUVD-2026-35059
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
bolt_cms bolt_cms to 3.7.5 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-80 The product receives input from an upstream component, but it does not neutralize or incorrectly neutralizes special characters such as "<", ">", and "&" that could be interpreted as web-scripting elements when they are sent to a downstream component that processes web pages.
CWE-74 The product constructs all or part of a command, data structure, or record using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify how it is parsed or interpreted when it is sent to a downstream component.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Compliance Impact

The provided information does not specify any direct impact of this vulnerability on compliance with common standards and regulations such as GDPR or HIPAA.

Executive Summary

This vulnerability exists in Bolt CMS versions up to 3.7.5, specifically in the HTML Attribute Handler component within the file src/Storage/Field/Type/TextType.php. It involves a weakness where manipulation of the 'style' argument can lead to HTML injection. This means an attacker can inject malicious HTML code remotely by exploiting this flaw.

The vulnerability has been publicly disclosed and an exploit is available, but it only affects unsupported versions of the product.

Impact Analysis

The vulnerability allows an attacker to perform HTML injection remotely by manipulating the 'style' argument. This could lead to the injection of malicious HTML content, potentially affecting the integrity and appearance of web pages served by the affected Bolt CMS installation.

Since the vulnerability is of low to medium severity (CVSS v3.1 score 3.5), the impact is limited to integrity issues without direct confidentiality or availability compromise.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-11511. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart