Bolt CMS HTML Attribute TextType.php HTML injection
CVE-2026-11511

5.1MEDIUM

Key Information:

Vendor

Bolt

Status
Cms
Vendor
CVE Published:
8 June 2026

What is CVE-2026-11511?

A weakness has been identified in Bolt CMS up to 3.7.5. This vulnerability affects unknown code of the file src/Storage/Field/Type/TextType.php of the component HTML Attribute Handler. Executing a manipulation of the argument style can lead to HTML injection. It is possible to launch the attack remotely. The exploit has been made available to the public and could be used for attacks. The GitHub repository was archived by the owner and is now read-only. This vulnerability only affects products that are no longer supported by the maintainer.

Affected Version(s)

CMS 3.7.0

CMS 3.7.1

CMS 3.7.2

References

https://vuldb.com/vuln/369131
vdb-entrytechnical-description
https://vuldb.com/vuln/369131/cti
signaturepermissions-required
https://vuldb.com/cve/CVE-2026-11511
third-party-advisory

CVSS V4

Score:
5.1
Severity:
MEDIUM
Confidentiality:
None
Integrity:
Low
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Attack Required:
None
Privileges Required:
Undefined
User Interaction:
Unknown

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

geochen (VulDB User)
VulDB CNA Team
.