Description
Stored cross-site scripting (XSS) in NewsItemApiController In SimplCommerce prior to commit 6142d3b5 allows an authenticated administrator to execute arbitrary JavaScript via the ShortContent and FullContent fields, which are stored without HTML sanitization and rendered unencoded via @Html.Raw()
Published: 2026-06-17
Score: 6.2 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Stored cross‑site scripting (XSS) exists in the SimplCommerce NewsItemApiController; the ShortContent and FullContent fields are saved without any HTML sanitization and later rendered using @Html.Raw(), allowing an authenticated administrator to inject and execute arbitrary JavaScript through the news module interface. This flaw permits the attacker to run client‑side code within the context of an administrator's browser session, potentially compromising sensitive data, enabling credential theft or hijacking, and enabling further opportunistic actions on the system.

Affected Systems

The vulnerability affects SimplCommerce, specifically the News module used by administrators. All installations running a version of the product prior to the commit identified by 6142d3b5 are potentially vulnerable. Users who have not applied this commit are at risk.

Risk and Exploitability

The CVSS score of 6.2 indicates moderate severity, and the EPSS score is not available, suggesting limited public exploitation data. The flaw requires authenticated administrator access, so attackers must either have legitimate admin credentials or compromise an administrator's session. Since the vulnerability has not been listed in the CISA KEV catalog, there is no confirmed exploitation evidence at this time. When present, an attacker could inject malicious JavaScript into the news published content, which will run in any browser that loads the page, potentially allowing credential theft, session hijacking, or defacement. The lack of mitigating controls within the application makes exploitation straightforward for privileged users.

Generated by OpenCVE AI on June 18, 2026 at 11:55 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the upstream patch that introduces HTML sanitization for the ShortContent and FullContent fields, available in commit 6142d3b5 or the latest release.
  • Ensure that any future customizations of the news module enforce strict input validation and encoding, using trusted anti‑XSS libraries and avoiding raw rendering functions such as @Html.Raw.
  • Limit access to the news editing interface by restricting administrator roles, requiring multi‑factor authentication, and monitoring for suspicious changes or content injections.
  • Review the application’s output encoding settings to confirm that all user‑generated content is rendered safely, and consider implementing a content security policy to mitigate accidental XSS.

Generated by OpenCVE AI on June 18, 2026 at 11:55 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 18 Jun 2026 04:45:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}


Wed, 17 Jun 2026 14:00:00 +0000

Type Values Removed Values Added
First Time appeared Simplcommerce
Simplcommerce simplcommerce
Vendors & Products Simplcommerce
Simplcommerce simplcommerce

Wed, 17 Jun 2026 12:45:00 +0000

Type Values Removed Values Added
Description Stored cross-site scripting (XSS) in NewsItemApiController In SimplCommerce prior to commit 6142d3b5 allows an authenticated administrator to execute arbitrary JavaScript via the ShortContent and FullContent fields, which are stored without HTML sanitization and rendered unencoded via @Html.Raw()
Title Stored Cross-Site Scripting (XSS) in SimplCommerce News Module Admin Interface
Weaknesses CWE-79
References
Metrics cvssV4_0

{'score': 6.2, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:N/VI:L/VA:N/SC:H/SI:H/SA:N'}


Subscriptions

Simplcommerce Simplcommerce
cve-icon MITRE

Status: PUBLISHED

Assigner: Checkmarx

Published:

Updated: 2026-06-17T15:03:17.782Z

Reserved: 2026-06-11T11:55:32.835Z

Link: CVE-2026-11975

cve-icon Vulnrichment

Updated: 2026-06-17T15:03:15.117Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-18T12:00:16Z

Weaknesses
  • CWE-79

    Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')