Cyber Resilience

CVE-2022-36532

HighPublic PoC

Published: 16 September 2022

Published
16 September 2022
Modified
21 November 2024
KEV Added
Patch
CVSS Score v3.1 8.8 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.2479 96.3th percentile
Risk Priority 32 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2022-36532 is a high-severity an unspecified weakness vulnerability in Bolt Bolt Cms. Its CVSS base score is 8.8 (High).

Operationally, ranked in the top 3.7% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

Deeper analysis

Bolt CMS versions 5.1.12 and earlier contain a flaw that permits an authenticated user holding ROLE_EDITOR privileges to upload a file and subsequently rename it, resulting in remote code execution on the server. The issue carries a CVSS 3.1 score of 8.8 with network attack vector, low complexity, and low privileges required.

An attacker who obtains or already possesses ROLE_EDITOR credentials can upload a crafted file, rename it to a web-executable extension, and trigger execution of arbitrary code, thereby gaining full control over the affected Bolt CMS instance.

The supplied references point to bolt.com and a detailed analysis at lutrasecurity.com, though no explicit patch or mitigation steps are enumerated in the available data.

EPSS for the vulnerability rose from a low baseline to a peak of 0.4680 on 2025-12-11 before receding to the current value of 0.2479, indicating a period of increased exploitation interest after disclosure.

EU & UK References

Vulnerability details

Bolt CMS contains a vulnerability in version 5.1.12 and below that allows an authenticated user with the ROLE_EDITOR privileges to upload and rename a malicious file to achieve remote code execution.

CWE(s)

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

bolt
bolt cms
≤ 5.1.12

Mitigating Controls

No mitigating controls mapped yet. The per-CVE control annotator has not reached this CVE.

References