CVE-2021-40219: Code Injection in Bolt CMS
8.8
CVSS Score
3.1
Basic Information
CVE ID
GHSA ID
EPSS Score
0.89261%
CWE
Published
4/12/2022
Updated
1/27/2023
KEV Status
No
Technology
PHP
Technical Details
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Package Name | Ecosystem | Vulnerable Versions | First Patched Version |
---|---|---|---|
bolt/core | composer | <= 4.2 |
Vulnerability Intelligence
Miggo AI
Root Cause Analysis
The vulnerability stems from the TemplateController
's template()
method which takes a user-supplied template name and passes it directly to Twig's render()
function. The code comment explicitly warns this isn't routed by default due to security risks. Attackers with theme editing privileges can create malicious templates containing Twig code (like the PoC's {{[...]|filter('system')}}
payload), which gets executed when the template is rendered. The lack of input sanitization and unsafe rendering of user-controlled template files creates the code injection vector. The provided exploit demonstrates this leads to RCE through Twig's template execution capabilities.