bolt/bolt is vulnerable to cross-site request forgery. The vulnerability exists as it accepts requests without a valid token in the preview
generating endpoint in src/Controller/Frontend.php
which allows an attacker to inject and execute arbitrary javascript.
packetstormsecurity.com/files/158299/Bolt-CMS-3.7.0-XSS-CSRF-Shell-Upload.html
seclists.org/fulldisclosure/2020/Jul/4
github.com/advisories/GHSA-2q66-6cc3-6xm8
github.com/bolt/bolt/commit/b42cbfcf3e3108c46a80581216ba03ef449e419f
github.com/bolt/bolt/pull/7853
github.com/bolt/bolt/security/advisories/GHSA-2q66-6cc3-6xm8