PatchSiren cyber security CVE debrief
CVE-2026-11511 Bolt CVE debrief
A weakness has been identified in Bolt CMS up to 3.7.5. This vulnerability affects unknown code of the file src/Storage/Field/Type/TextType.php of the component HTML Attribute Handler. Executing a manipulation of the argument style can lead to HTML injection. It is possible to launch the attack remotely. The exploit has been made available to the public and could be used for attacks. The GitHub repository was archived by the owner and is now read-only. This vulnerability only affects products that are no longer supported by the maintainer.
- Vendor
- Bolt
- Product
- CMS
- CVSS
- LOW 2
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-06-08
- Original CVE updated
- 2026-06-08
- Advisory published
- 2026-06-08
- Advisory updated
- 2026-06-08
Who should care
Users of Bolt CMS version up to 3.7.5
Technical summary
The vulnerability exists in the TextType.php file, specifically in the handling of the 'style' argument, which can be manipulated to inject HTML code.
Defensive priority
Low
Recommended defensive actions
- Upgrade to a supported version of Bolt CMS, if available
- Implement additional security measures to monitor and restrict input to the TextType.php file
Evidence notes
The CVE record was published on [cve-org](https://www.cve.org/CVERecord?id=CVE-2026-11511). The NVD detail can be found at [nvd](https://nvd.nist.gov/vuln/detail/CVE-2026-11511). Additional information is available at [ref-4](https://vuldb.com/cve/CVE-2026-11511), [ref-5](https://vuldb.com/submit/836106), [ref-6](https://vuldb.com/vuln/369131), and [ref-7](https://vuldb.com/vuln/369131/cti).
Official resources
Publicly disclosed