Description
GetSimpleCMS Community Edition (CE) versions prior to 3.3.22 (3.3.16 tested) contains a stored cross-site scripting (XSS) vulnerability in the Theme to Components functionality within components.php. User-supplied input provided to the "slug" field of a component is stored without proper output encoding. While other fields are sanitized using safe_slash_html(), the slug parameter is written to XML and later rendered in the administrative interface without sanitation, resulting in persistent execution of arbitrary JavaScript. An authenticated administrator can inject malicious script content that executes whenever the affected Components page is viewed by any authenticated user, enabling session hijacking, unauthorized administrative actions, and persistent compromise of the CMS administrative interface.
Published: 2026-02-24
Score: 4.8 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

GetSimpleCMS Community Edition versions prior to 3.3.22 contain a stored cross‑site scripting flaw in the Theme to Components feature within components.php. The vulnerability arises because user‑supplied data in the slug field of a component is written to XML without proper output encoding. The other component fields are sanitized with safe_slash_html(), but the slug is stored and later rendered in the administrative interface unsanitized, causing persistent execution of arbitrary JavaScript. An authenticated administrator can inject malicious script into the slug, which runs whenever the affected component page is viewed by any authenticated user, allowing session hijacking, unauthorized administrative actions, and ongoing compromise of the CMS administration interface.

Affected Systems

The affected vendor is GetSimpleCMS Community Edition. Vulnerable releases include all versions prior to 3.3.22 (e.g., 3.3.16) and have been confirmed to contain the flaw, while version 3.3.22 and later are no longer vulnerable.

Risk and Exploitability

The flaw has a CVSS v3.1 base score of 4.8, indicating moderate severity. EPSS shows a very low exploitation probability (< 1%), and the vulnerability is not listed in CISA’s KEV catalog. Attack requires an authenticated administrator who can create or edit a component with a malicious slug value; once stored, the payload is executed whenever other authenticated users view the component page. Based on the description, it is inferred that non‑authenticated users cannot exploit the flaw directly, but the impact becomes significant once administrative privileges are gained.

Generated by OpenCVE AI on May 26, 2026 at 01:54 UTC.

Remediation

Vendor Solution

Version 3.3.22 was confirmed to not be vulnerable

OpenCVE Recommended Actions

  • Upgrade GetSimpleCMS Community Edition to version 3.3.22 or later, which has been confirmed to be free of the vulnerable code and fixes the stored XSS flaw (CWE‑79).
  • If upgrading is delayed, delete or sanitize existing component slugs that may contain unsanitized input, effectively mitigating the CWE‑79 flaw.
  • Add a Web Application Firewall or input validation rule that encodes or rejects script content in the slug field to provide an additional layer of protection against CWE‑79 based cross‑site scripting.

Generated by OpenCVE AI on May 26, 2026 at 01:54 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 26 May 2026 00:00:00 +0000

Type Values Removed Values Added
Description GetSimpleCMS Community Edition (CE) version 3.3.16 contains a stored cross-site scripting (XSS) vulnerability in the Theme to Components functionality within components.php. User-supplied input provided to the "slug" field of a component is stored without proper output encoding. While other fields are sanitized using safe_slash_html(), the slug parameter is written to XML and later rendered in the administrative interface without sanitation, resulting in persistent execution of arbitrary JavaScript. An authenticated administrator can inject malicious script content that executes whenever the affected Components page is viewed by any authenticated user, enabling session hijacking, unauthorized administrative actions, and persistent compromise of the CMS administrative interface. GetSimpleCMS Community Edition (CE) versions prior to 3.3.22 (3.3.16 tested) contains a stored cross-site scripting (XSS) vulnerability in the Theme to Components functionality within components.php. User-supplied input provided to the "slug" field of a component is stored without proper output encoding. While other fields are sanitized using safe_slash_html(), the slug parameter is written to XML and later rendered in the administrative interface without sanitation, resulting in persistent execution of arbitrary JavaScript. An authenticated administrator can inject malicious script content that executes whenever the affected Components page is viewed by any authenticated user, enabling session hijacking, unauthorized administrative actions, and persistent compromise of the CMS administrative interface.

Thu, 05 Mar 2026 02:15:00 +0000

Type Values Removed Values Added
First Time appeared Get-simple
Get-simple getsimplecms
CPEs cpe:2.3:a:get-simple:getsimplecms:3.3.22:*:*:*:*:*:*:*
Vendors & Products Get-simple
Get-simple getsimplecms

Fri, 27 Feb 2026 21:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 26 Feb 2026 22:15:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:getsimple-ce:getsimple_cms:*:*:*:*:community:*:*:*
Metrics cvssV3_1

{'score': 4.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N'}

Wed, 25 Feb 2026 12:00:00 +0000

Type Values Removed Values Added
First Time appeared Getsimple-ce
Getsimple-ce getsimple Cms
Vendors & Products Getsimple-ce
Getsimple-ce getsimple Cms

Tue, 24 Feb 2026 22:30:00 +0000

Type Values Removed Values Added
Description GetSimpleCMS Community Edition (CE) version 3.3.16 contains a stored cross-site scripting (XSS) vulnerability in the Theme to Components functionality within components.php. User-supplied input provided to the "slug" field of a component is stored without proper output encoding. While other fields are sanitized using safe_slash_html(), the slug parameter is written to XML and later rendered in the administrative interface without sanitation, resulting in persistent execution of arbitrary JavaScript. An authenticated administrator can inject malicious script content that executes whenever the affected Components page is viewed by any authenticated user, enabling session hijacking, unauthorized administrative actions, and persistent compromise of the CMS administrative interface.
Title GetSimpleCMS-CE < 3.3.22 Stored XSS via components.php
Weaknesses CWE-79
References
Metrics cvssV4_0

{'score': 4.8, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N'}

Subscriptions

Get-simple Getsimplecms
Getsimple-ce Getsimple Cms
cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-05-25T23:41:45.891Z

Reserved: 2026-02-13T17:28:43.057Z

Link: CVE-2026-26351

cve-icon Vulnrichment

Updated: 2026-02-27T20:54:00.476Z

cve-icon NVD

Status : Analyzed

Published: 2026-02-24T23:16:04.830

Modified: 2026-02-26T22:01:44.210

Link: CVE-2026-26351

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-26T02:00:14Z

Weaknesses