Felipegaspar

**Name of the Vulnerable Software and Affected Versions** Bolt CMS version 3.6.6 **Description** The issue allows remote attackers to execute arbitrary code by uploading a JavaScript file to include executable extensions in the `file/edit/config/config.yml` configuration file through the `bolt/upload` File Upload feature. This is a result of a Cross Site Request Forgery (CSRF) vulnerability. **Recommendations** For Bolt CMS version 3.6.6, as a temporary workaround, consider disabling the `bolt/upload` File Upload feature until a patch is available. Restrict access to the `file/edit/config/config.yml` configuration file to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.