CVE-2025-34086

Name of the Vulnerable Software and Affected Versions: Bolt CMS versions 3.7.0 and earlier

Description: The issue allows an authenticated user to achieve remote code execution. This is done by injecting arbitrary PHP code into the displayname field of the user profile, which is rendered unsanitized in backend templates. The attacker can list and rename cached session files via the "/async/browse/cache/.sessions" and "/async/folder/rename" endpoints. By renaming a .session file to a path under the publicly accessible "/files/" directory with a .php extension, the attacker can turn the injected code into an executable web shell. The attacker then triggers the payload via a crafted HTTP GET request to the rogue file.

Recommendations: For Bolt CMS versions 3.7.0 and earlier, consider updating to a version that is still supported, as Bolt 3 reached end-of-life after 31 December 2021. As a temporary workaround, consider restricting access to the "/async/browse/cache/.sessions" and "/async/folder/rename" endpoints to minimize the risk of exploitation. Avoid using the displayname field in user profiles until the issue is resolved. Restrict access to the "/files/" directory to prevent execution of malicious PHP code.