CVE-2025-34086: CWE-94 Improper Control of Generation of Code ('Code Injection') in Bolt CMS
Bolt CMS versions 3.7.0 and earlier contain a chain of vulnerabilities that together allow an authenticated user to achieve remote code execution. A user with valid credentials can inject arbitrary PHP code into the displayname field of the user profile, which is rendered unsanitized in backend templates. The attacker can then list and rename cached session files via the /async/browse/cache/.sessions and /async/folder/rename endpoints. By renaming a .session file to a path under the publicly accessible /files/ directory with a .php extension, the attacker can turn the injected code into an executable web shell. Finally, the attacker triggers the payload via a crafted HTTP GET request to the rogue file. NOTE: The vendor announced that Bolt 3 reached end-of-life after 31 December 2021.
AI Analysis
Technical Summary
CVE-2025-34086 affects Bolt CMS versions 3.7.0 and earlier. An authenticated user can inject arbitrary PHP code into the displayname field of their user profile, which is rendered without sanitization in backend templates. The attacker can then list and rename cached session files through specific endpoints, renaming a .session file to a .php file under the publicly accessible /files/ directory. This allows the injected PHP code to be executed as a web shell when accessed via a crafted HTTP GET request, resulting in remote code execution. The vulnerability chain involves improper control of code generation (CWE-94) and unsafe file handling (CWE-434). The vendor has declared Bolt 3 end-of-life as of December 31, 2021, and no patch or official fix is available.
Potential Impact
An authenticated user with valid credentials can achieve remote code execution on affected Bolt CMS installations by exploiting this vulnerability. This can lead to full system compromise, unauthorized access, and execution of arbitrary code on the server hosting the CMS. Since the vulnerability requires authentication, the risk is limited to users who have valid login credentials. There are no known exploits in the wild as of the published date.
Mitigation Recommendations
Bolt CMS version 3 has reached end-of-life as of December 31, 2021, and no official patch or fix is available for this vulnerability. Users are strongly advised to upgrade to a supported version of Bolt CMS that is not affected by this issue or migrate to an alternative CMS solution. Until then, restrict access to the CMS backend to trusted users only and monitor for suspicious activity. Patch status is not yet confirmed due to end-of-life status; check vendor communications for any possible updates or community patches.
CVE-2025-34086: CWE-94 Improper Control of Generation of Code ('Code Injection') in Bolt CMS
Description
Bolt CMS versions 3.7.0 and earlier contain a chain of vulnerabilities that together allow an authenticated user to achieve remote code execution. A user with valid credentials can inject arbitrary PHP code into the displayname field of the user profile, which is rendered unsanitized in backend templates. The attacker can then list and rename cached session files via the /async/browse/cache/.sessions and /async/folder/rename endpoints. By renaming a .session file to a path under the publicly accessible /files/ directory with a .php extension, the attacker can turn the injected code into an executable web shell. Finally, the attacker triggers the payload via a crafted HTTP GET request to the rogue file. NOTE: The vendor announced that Bolt 3 reached end-of-life after 31 December 2021.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
CVE-2025-34086 affects Bolt CMS versions 3.7.0 and earlier. An authenticated user can inject arbitrary PHP code into the displayname field of their user profile, which is rendered without sanitization in backend templates. The attacker can then list and rename cached session files through specific endpoints, renaming a .session file to a .php file under the publicly accessible /files/ directory. This allows the injected PHP code to be executed as a web shell when accessed via a crafted HTTP GET request, resulting in remote code execution. The vulnerability chain involves improper control of code generation (CWE-94) and unsafe file handling (CWE-434). The vendor has declared Bolt 3 end-of-life as of December 31, 2021, and no patch or official fix is available.
Potential Impact
An authenticated user with valid credentials can achieve remote code execution on affected Bolt CMS installations by exploiting this vulnerability. This can lead to full system compromise, unauthorized access, and execution of arbitrary code on the server hosting the CMS. Since the vulnerability requires authentication, the risk is limited to users who have valid login credentials. There are no known exploits in the wild as of the published date.
Mitigation Recommendations
Bolt CMS version 3 has reached end-of-life as of December 31, 2021, and no official patch or fix is available for this vulnerability. Users are strongly advised to upgrade to a supported version of Bolt CMS that is not affected by this issue or migrate to an alternative CMS solution. Until then, restrict access to the CMS backend to trusted users only and monitor for suspicious activity. Patch status is not yet confirmed due to end-of-life status; check vendor communications for any possible updates or community patches.
Technical Details
- Data Version
- 5.1
- Assigner Short Name
- VulnCheck
- Date Reserved
- 2025-04-15T19:15:22.551Z
- Cvss Version
- 4.0
- State
- PUBLISHED
Threat ID: 6866dff66f40f0eb729b6244
Added to database: 7/3/2025, 7:54:30 PM
Last enriched: 4/7/2026, 11:00:01 PM
Last updated: 5/9/2026, 2:19:19 AM
Views: 123
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.