{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-4616", "assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5", "state": "PUBLISHED", "assignerShortName": "VulDB", "dateReserved": "2026-03-23T05:53:41.459Z", "datePublished": "2026-03-24T00:16:11.901Z", "dateUpdated": "2026-03-26T12:26:30.056Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "1af790b2-7ee1-4545-860a-a788eba489b5", "shortName": "VulDB", "dateUpdated": "2026-03-24T00:16:11.901Z"}, "title": "bolo-blog Article Title article cross site scripting", "problemTypes": [{"descriptions": [{"type": "CWE", "cweId": "CWE-79", "lang": "en", "description": "Cross Site Scripting"}]}, {"descriptions": [{"type": "CWE", "cweId": "CWE-94", "lang": "en", "description": "Code Injection"}]}], "affected": [{"vendor": "n/a", "product": "bolo-blog", "versions": [{"version": "2.6.0", "status": "affected"}, {"version": "2.6.1", "status": "affected"}, {"version": "2.6.2", "status": "affected"}, {"version": "2.6.3", "status": "affected"}, {"version": "2.6.4", "status": "affected"}], "modules": ["Article Title Handler"]}], "descriptions": [{"lang": "en", "value": "A security flaw has been discovered in bolo-blog \uae4c\uc9c0 2.6.4. The affected element is an unknown function of the file /console/article/ of the component Article Title Handler. Performing a manipulation of the argument articleTitle results in cross site scripting. It is possible to initiate the attack remotely. The exploit has been released to the public and may be used for attacks. The project was informed of the problem early through an issue report but has not responded yet."}], "metrics": [{"cvssV4_0": {"version": "4.0", "baseScore": 4.8, "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P", "baseSeverity": "MEDIUM"}}, {"cvssV3_1": {"version": "3.1", "baseScore": 2.4, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:N/I:L/A:N/E:P/RL:X/RC:R", "baseSeverity": "LOW"}}, {"cvssV3_0": {"version": "3.0", "baseScore": 2.4, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:H/UI:R/S:U/C:N/I:L/A:N/E:P/RL:X/RC:R", "baseSeverity": "LOW"}}, {"cvssV2_0": {"version": "2.0", "baseScore": 3.3, "vectorString": "AV:N/AC:L/Au:M/C:N/I:P/A:N/E:POC/RL:ND/RC:UR"}}], "timeline": [{"time": "2026-03-23T00:00:00.000Z", "lang": "en", "value": "Advisory disclosed"}, {"time": "2026-03-23T01:00:00.000Z", "lang": "en", "value": "VulDB entry created"}, {"time": "2026-03-23T06:58:51.000Z", "lang": "en", "value": "VulDB entry last update"}], "credits": [{"lang": "en", "value": "Lastxuan (VulDB User)", "type": "reporter"}], "references": [{"url": "https://vuldb.com/?id.352480", "name": "VDB-352480 | bolo-blog Article Title article cross site scripting", "tags": ["vdb-entry", "technical-description"]}, {"url": "https://vuldb.com/?ctiid.352480", "name": "VDB-352480 | CTI Indicators (IOB, IOC, TTP, IOA)", "tags": ["signature", "permissions-required"]}, {"url": "https://vuldb.com/?submit.775742", "name": "Submit #775742 | bolo-blog bolo-solo 2.6.4 Cross Site Scripting", "tags": ["third-party-advisory"]}, {"url": "https://github.com/bolo-blog/bolo-solo/issues/330", "tags": ["issue-tracking"]}, {"url": "https://github.com/bolo-blog/bolo-solo/issues/330#issue-4045018183", "tags": ["exploit", "issue-tracking"]}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-03-26T12:26:10.188700Z", "id": "CVE-2026-4616", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-26T12:26:30.056Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-4616", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-03-26T12:26:10.188700Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-26T12:26:26.118Z"}}], "cna": {"title": "bolo-blog Article Title article cross site scripting", "credits": [{"lang": "en", "type": "reporter", "value": "Lastxuan (VulDB User)"}], "metrics": [{"cvssV4_0": {"version": "4.0", "baseScore": 4.8, "baseSeverity": "MEDIUM", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P"}}, {"cvssV3_1": {"version": "3.1", "baseScore": 2.4, "baseSeverity": "LOW", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:N/I:L/A:N/E:P/RL:X/RC:R"}}, {"cvssV3_0": {"version": "3.0", "baseScore": 2.4, "baseSeverity": "LOW", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:H/UI:R/S:U/C:N/I:L/A:N/E:P/RL:X/RC:R"}}, {"cvssV2_0": {"version": "2.0", "baseScore": 3.3, "vectorString": "AV:N/AC:L/Au:M/C:N/I:P/A:N/E:POC/RL:ND/RC:UR"}}], "affected": [{"vendor": "n/a", "modules": ["Article Title Handler"], "product": "bolo-blog", "versions": [{"status": "affected", "version": "2.6.0"}, {"status": "affected", "version": "2.6.1"}, {"status": "affected", "version": "2.6.2"}, {"status": "affected", "version": "2.6.3"}, {"status": "affected", "version": "2.6.4"}]}], "timeline": [{"lang": "en", "time": "2026-03-23T00:00:00.000Z", "value": "Advisory disclosed"}, {"lang": "en", "time": "2026-03-23T01:00:00.000Z", "value": "VulDB entry created"}, {"lang": "en", "time": "2026-03-23T06:58:51.000Z", "value": "VulDB entry last update"}], "references": [{"url": "https://vuldb.com/?id.352480", "name": "VDB-352480 | bolo-blog Article Title article cross site scripting", "tags": ["vdb-entry", "technical-description"]}, {"url": "https://vuldb.com/?ctiid.352480", "name": "VDB-352480 | CTI Indicators (IOB, IOC, TTP, IOA)", "tags": ["signature", "permissions-required"]}, {"url": "https://vuldb.com/?submit.775742", "name": "Submit #775742 | bolo-blog bolo-solo 2.6.4 Cross Site Scripting", "tags": ["third-party-advisory"]}, {"url": "https://github.com/bolo-blog/bolo-solo/issues/330", "tags": ["issue-tracking"]}, {"url": "https://github.com/bolo-blog/bolo-solo/issues/330#issue-4045018183", "tags": ["exploit", "issue-tracking"]}], "descriptions": [{"lang": "en", "value": "A security flaw has been discovered in bolo-blog \uae4c\uc9c0 2.6.4. The affected element is an unknown function of the file /console/article/ of the component Article Title Handler. Performing a manipulation of the argument articleTitle results in cross site scripting. It is possible to initiate the attack remotely. The exploit has been released to the public and may be used for attacks. The project was informed of the problem early through an issue report but has not responded yet."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-79", "description": "Cross Site Scripting"}]}, {"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-94", "description": "Code Injection"}]}], "providerMetadata": {"orgId": "1af790b2-7ee1-4545-860a-a788eba489b5", "shortName": "VulDB", "dateUpdated": "2026-03-24T00:16:11.901Z"}}}, "cveMetadata": {"cveId": "CVE-2026-4616", "state": "PUBLISHED", "dateUpdated": "2026-03-26T12:26:30.056Z", "dateReserved": "2026-03-23T05:53:41.459Z", "assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5", "datePublished": "2026-03-24T00:16:11.901Z", "assignerShortName": "VulDB"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "A security flaw has been discovered in bolo-blog \uae4c\uc9c0 2.6.4. The affected element is an unknown function of the file /console/article/ of the component Article Title Handler. Performing a manipulation of the argument articleTitle results in cross site scripting. It is possible to initiate the attack remotely. The exploit has been released to the public and may be used for attacks. The project was informed of the problem early through an issue report but has not responded yet."}], "id": "CVE-2026-4616", "lastModified": "2026-03-24T15:53:48.067", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "LOW", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "MULTIPLE", "availabilityImpact": "NONE", "baseScore": 3.3, "confidentialityImpact": "NONE", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:L/Au:M/C:N/I:P/A:N", "version": "2.0"}, "exploitabilityScore": 6.4, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "cna@vuldb.com", "type": "Secondary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 2.4, "baseSeverity": "LOW", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "HIGH", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:N/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 0.9, "impactScore": 1.4, "source": "cna@vuldb.com", "type": "Primary"}], "cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "NETWORK", "availabilityRequirement": "NOT_DEFINED", "baseScore": 4.8, "baseSeverity": "MEDIUM", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "PROOF_OF_CONCEPT", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "HIGH", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "PASSIVE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "NONE", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "LOW", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "cna@vuldb.com", "type": "Secondary"}]}, "published": "2026-03-24T01:17:02.367", "references": [{"source": "cna@vuldb.com", "url": "https://github.com/bolo-blog/bolo-solo/issues/330"}, {"source": "cna@vuldb.com", "url": "https://github.com/bolo-blog/bolo-solo/issues/330#issue-4045018183"}, {"source": "cna@vuldb.com", "url": "https://vuldb.com/?ctiid.352480"}, {"source": "cna@vuldb.com", "url": "https://vuldb.com/?id.352480"}, {"source": "cna@vuldb.com", "url": "https://vuldb.com/?submit.775742"}], "sourceIdentifier": "cna@vuldb.com", "vulnStatus": "Awaiting Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}, {"lang": "en", "value": "CWE-94"}], "source": "cna@vuldb.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "2.6.0"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "2.6.1"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "2.6.2"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "2.6.3"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "2.6.4"}}], "enrichment": {"confidence": 80.0, "confidence_source": "inferred", "scores": [{"score": 80.0, "source": "inferred"}, {"score": 89.0, "source": "matching"}]}, "original": {"product": "bolo-blog", "source": "cna", "vendor": "n/a"}, "product": "bolo-solo", "vendor": "bolo-blog"}], "analysis": {"en": {"generated_at": "2026-03-24T03:53:55.134437+00:00", "value": {"mitigation_remediation": ["Check the bolo\u2011blog website or repository for an updated version or patch and upgrade immediately if available.", "If a patch is not available, implement server\u2011side sanitization of the articleTitle parameter to escape or remove dangerous HTML and script content.", "Add a Content Security Policy header to the HTTP responses from the Article Title pages to restrict script execution.", "Monitor incoming requests for unusual or suspicious articleTitle values that may indicate exploitation attempts.", "Consider disabling the Article Title feature or restricting access if the feature is not essential to operations."], "summary": {"action": "Assess Impact", "impact": "Client\u2011side cross\u2011site scripting via the articleTitle parameter"}, "threat_synthesis": {"affected_systems": "Versions of the bolo\u2011blog platform up to and including 2.6.4 are affected. The flaw resides in the Article Title Handler component accessed through /console/article/ and is triggered by manipulation of the articleTitle argument. No other vendors or products are known to be impacted.", "description_and_impact": "The vulnerability is a client\u2011side cross\u2011site scripting flaw discovered in the Article Title Handler of bolo\u2011blog. A malformed articleTitle argument sent to the /console/article/ endpoint can cause arbitrary JavaScript to be executed in the browsers of any user who views the resulting page. The potential impact is the execution of malicious scripts in victims\u2019 browsers, enabling session hijacking, credential theft, or defacement.", "risk_and_exploitability": "The CVSS score for this flaw is 4.8, indicating a moderate severity. EPSS data is unavailable and the vulnerability is not listed in the CISA KEV catalog. However, the public release of an exploit makes the threat real and suggests that attackers could exploit the issue remotely through crafted requests. The lack of a patch and the ability to trigger the flaw remotely heighten the practical risk for exposed deployments."}}}}, "created": "2026-03-24T10:29:37.203646+00:00", "updated": "2026-03-25T20:40:43.220885+00:00", "vendors": ["bolo-blog", "bolo-blog$PRODUCT$bolo-solo"]}