What is CVE-2025-34086?

CVE-2025-34086 is a vulnerability in Bolt Cms, classified under Code Injection. Published 2025-07-03.

Is CVE-2025-34086 known to be exploited?

1 public proof-of-concept repositories are indexed. Not currently listed in the CISA KEV catalog.

RCE in Bolt Cms

CVE-2025-34086

Bolt CMS versions 3.7.0 and earlier contain a chain of vulnerabilities that together allow an authenticated user to achieve remote code execution. A user with valid credentials can inject arbitrary PHP code into the displayname field of th…

Vulnerability class: RCE (Remote Code Execution)

EPSS: 0.674 (98.6th percentile) — read the EPSS interpretation.

Affected products

Bolt Cms — versions 0

Weakness classification (CWE)

Public proof-of-concept exploits

rapid7/metasploit-framework

References

github.com/bolt/bolt/releases/tag/3.7.1 (vendor-advisory, patch)
www.exploit-db.com/exploits/48296 (exploit)
www.rapid7.com/db/modules/exploit/unix/webapp/bolt_authenticated_rce/ (third-party-advisory)
github.com/bolt/bolt (product)
boltcms.io/newsitem/major-announcements-bolt-3-eol-bolt-4-2-5-0-releases (vendor-advisory)
raw.githubusercontent.com/rapid7/metasploit-framework/master/modules/exploits/u… (exploit)

Frequently asked questions

What is CVE-2025-34086?: CVE-2025-34086 is a vulnerability in Bolt Cms, classified under Code Injection. Published 2025-07-03.
Is CVE-2025-34086 known to be exploited?: 1 public proof-of-concept repositories are indexed. Not currently listed in the CISA KEV catalog.