Description
CMS Made Simple 2.2.15 contains a stored cross-site scripting vulnerability that allows authenticated users with Content Manager access to inject malicious scripts through SVG file uploads. Attackers can upload SVG files containing embedded JavaScript to the file manager, which executes when other authenticated users access the uploaded file, enabling cookie theft and session hijacking.
Published: 2026-05-16
Score: 5.1 Medium
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

CMS Made Simple 2.2.15 is vulnerable to a stored cross‑site scripting flaw that is triggered when an authenticated user with Content Manager privileges uploads an SVG file containing embedded JavaScript. When another authenticated user opens the uploaded file via the file manager, the injected script executes in the victim’s browser, allowing attackers to steal session cookies and hijack the user’s session.

Affected Systems

This issue affects CMS Made Simple 2.2.15; the vulnerability is present in versions that include buggy SVG upload handling, and the product has been listed under the vendor name CMS Made Simple.

Risk and Exploitability

The CVSS score of 5.1 indicates a medium severity vulnerability, and no EPSS data is available. The attack requires legitimate user credentials and advanced role permissions; if an attacker can obtain or reuse such credentials, they can upload malicious SVG files. Because the vulnerability is not listed in the CISA KEV catalog, no known zero‑day exploitation is confirmed, but the potential for widespread session hijacking exists if the upload module is left unprotected.

Generated by OpenCVE AI on May 16, 2026 at 16:56 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade CMS Made Simple to a version that removes the SVG upload vulnerability.
  • If an upgrade cannot be performed immediately, reconfigure the file manager to reject SVG files or to strip out script elements from uploaded SVG content before rendering.
  • Apply the principle of least privilege by limiting Content Manager accounts to only necessary operations and disabling the ability to upload SVG files from that role.

Generated by OpenCVE AI on May 16, 2026 at 16:56 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Sat, 16 May 2026 15:45:00 +0000

Type Values Removed Values Added
Description CMS Made Simple 2.2.15 contains a stored cross-site scripting vulnerability that allows authenticated users with Content Manager access to inject malicious scripts through SVG file uploads. Attackers can upload SVG files containing embedded JavaScript to the file manager, which executes when other authenticated users access the uploaded file, enabling cookie theft and session hijacking.
Title CMS Made Simple 2.2.15 Stored XSS via SVG File Upload
First Time appeared Cmsmadesimple
Cmsmadesimple cms Made Simple
Weaknesses CWE-79
CPEs cpe:2.3:a:cmsmadesimple:cms_made_simple:2.2.17:*:*:*:*:*:*:*
cpe:2.3:a:cmsmadesimple:cms_made_simple:2.2.18:*:*:*:*:*:*:*
cpe:2.3:a:cmsmadesimple:cms_made_simple:2.2.19:*:*:*:*:*:*:*
cpe:2.3:a:cmsmadesimple:cms_made_simple:2.2.20:*:*:*:*:*:*:*
cpe:2.3:a:cmsmadesimple:cms_made_simple:2.2.21:*:*:*:*:*:*:*
Vendors & Products Cmsmadesimple
Cmsmadesimple cms Made Simple
References
Metrics cvssV3_1

{'score': 6.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N'}

cvssV4_0

{'score': 5.1, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N'}

Subscriptions

Cmsmadesimple Cms Made Simple
cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-05-16T15:25:54.700Z

Reserved: 2026-05-15T14:49:49.739Z

Link: CVE-2020-37238

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-05-16T16:16:19.967

Modified: 2026-05-16T16:16:19.967

Link: CVE-2020-37238

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-16T17:30:27Z

Weaknesses