Bolt prior to 3.6.10 has XSS via createFolder or createFile in Controller/Async/FilesystemManager.php.
boltcms bolt