CVE-2018-19933

MEDIUM

Bolt CMS < 3.6.2 - Stored Cross-Site Scripting via Title Field Preview

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 1 public exploit for CVE-2018-19933. PoCs published by Raif Berkay Dincel.

AI-analyzed exploit summary This exploit demonstrates a stored XSS vulnerability in Bolt CMS versions prior to 3.6.2. The PoC shows how an attacker can inject malicious JavaScript via the 'title' parameter in a POST request to the preview endpoint, which executes when previewed.

Description

Bolt CMS <3.6.2 allows XSS via text input click preview button as demonstrated by the Title field of a Configured and New Entry.

Exploits (1)

exploitdb WORKING POC
by Raif Berkay Dincel · textwebappsphp
https://www.exploit-db.com/exploits/46014

This exploit demonstrates a stored XSS vulnerability in Bolt CMS versions prior to 3.6.2. The PoC shows how an attacker can inject malicious JavaScript via the 'title' parameter in a POST request to the preview endpoint, which executes when previewed.

Classification
Working Poc 95%
Attack Type
Xss
Complexity
Trivial
Reliability
Reliable
Target: Bolt CMS < 3.6.2
Auth required
Prerequisites: Authenticated access to the Bolt CMS admin panel · Ability to send crafted POST requests to the preview endpoint
devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (3)

Core 3
Core References
Third Party Advisory, VDB Entry exploit x_refsource_exploit-db
https://www.exploit-db.com/exploits/46014/
Exploit, Third Party Advisory x_refsource_misc
https://github.com/rdincel1/Bolt-CMS-3.6.2---Cross-Site-Scripting
Exploit, Third Party Advisory x_refsource_misc
https://www.raifberkaydincel.com/bolt-cms-xss-vulnerability.html

Scores

CVSS v3 6.1
EPSS 0.0224
EPSS Percentile 85.0%
Attack Vector NETWORK
CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Details

CWE
CWE-79
Status published
Products (2)
bolt/bolt 0 - 3.6.2Packagist
bolt/bolt_cms < 3.6.2
Published Dec 17, 2018
Tracked Since Feb 18, 2026