Description
GetSimpleCMS Community Edition (CE) version 3.3.16 contains a stored cross-site scripting (XSS) vulnerability in the Theme to Components functionality within components.php. User-supplied input provided to the "slug" field of a component is stored without proper output encoding. While other fields are sanitized using safe_slash_html(), the slug parameter is written to XML and later rendered in the administrative interface without sanitation, resulting in persistent execution of arbitrary JavaScript. An authenticated administrator can inject malicious script content that executes whenever the affected Components page is viewed by any authenticated user, enabling session hijacking, unauthorized administrative actions, and persistent compromise of the CMS administrative interface.
Published: 2026-02-24
Score: 4.8 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Stored Cross‑Site Scripting in the CMS administrative interface enabling session hijacking and unauthorized administrative actions.
Action: Immediate Patch
AI Analysis

Impact

GetSimpleCMS Community Edition version 3.3.16 contains a stored cross‑site scripting vulnerability in components.php. User‑supplied input passed to the slug field is written to XML and later rendered in the admin interface without proper output encoding, resulting in persistent execution of arbitrary JavaScript. This type of flaw permits an authenticated administrator to inject malicious script that runs whenever the affected Components page is viewed by any authenticated user, enabling session hijacking, unauthorized administrative actions, and persistent compromise of the CMS administrative interface.

Affected Systems

The affected vendor is GetSimpleCMS Community Edition. Vulnerable releases include version 3.3.16 and all earlier releases prior to 3.3.22, which has been confirmed to not contain the flaw.

Risk and Exploitability

The flaw carries a CVSS v3.1 base score of 4.8, which falls into the moderate severity range. EPSS indicates a very low probability of exploitation (< 1%), and the vulnerability is not currently catalogued in CISA’s KEV. The most likely attack scenario requires an authenticated administrator to create or edit a component with a malicious slug value; the payload is then stored and executed whenever the component page is accessed by other authenticated users. Because the vulnerability is tied to administrative privileges, non‑authenticated users cannot exploit it directly, but once a user gains administrative rights they can perform arbitrary actions in the CMS.

Generated by OpenCVE AI on April 17, 2026 at 15:36 UTC.

Remediation

Vendor Solution

Version 3.3.22 was confirmed to not be vulnerable

OpenCVE Recommended Actions

  • Upgrade GetSimpleCMS Community Edition to version 3.3.22 or later, which has been confirmed to be free of the vulnerable code and fixes the stored XSS flaw (CWE‑79).
  • If upgrading is delayed, delete or sanitize existing component slugs that may contain unsanitized input, effectively mitigating the CWE‑79 flaw.
  • Add a Web Application Firewall or input validation rule that encodes or rejects script content in the slug field to provide an additional layer of protection against CWE‑79 based cross‑site scripting.

Generated by OpenCVE AI on April 17, 2026 at 15:36 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 05 Mar 2026 02:15:00 +0000

Type Values Removed Values Added
First Time appeared Get-simple
Get-simple getsimplecms
CPEs cpe:2.3:a:get-simple:getsimplecms:3.3.22:*:*:*:*:*:*:*
Vendors & Products Get-simple
Get-simple getsimplecms

Fri, 27 Feb 2026 21:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 26 Feb 2026 22:15:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:getsimple-ce:getsimple_cms:*:*:*:*:community:*:*:*
Metrics cvssV3_1

{'score': 4.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N'}

Wed, 25 Feb 2026 12:00:00 +0000

Type Values Removed Values Added
First Time appeared Getsimple-ce
Getsimple-ce getsimple Cms
Vendors & Products Getsimple-ce
Getsimple-ce getsimple Cms

Tue, 24 Feb 2026 22:30:00 +0000

Type Values Removed Values Added
Description GetSimpleCMS Community Edition (CE) version 3.3.16 contains a stored cross-site scripting (XSS) vulnerability in the Theme to Components functionality within components.php. User-supplied input provided to the "slug" field of a component is stored without proper output encoding. While other fields are sanitized using safe_slash_html(), the slug parameter is written to XML and later rendered in the administrative interface without sanitation, resulting in persistent execution of arbitrary JavaScript. An authenticated administrator can inject malicious script content that executes whenever the affected Components page is viewed by any authenticated user, enabling session hijacking, unauthorized administrative actions, and persistent compromise of the CMS administrative interface.
Title GetSimpleCMS-CE < 3.3.22 Stored XSS via components.php
Weaknesses CWE-79
References
Metrics cvssV4_0

{'score': 4.8, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N'}

Subscriptions

Get-simple Getsimplecms
Getsimple-ce Getsimple Cms
cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-03-05T01:31:09.226Z

Reserved: 2026-02-13T17:28:43.057Z

Link: CVE-2026-26351

cve-icon Vulnrichment

Updated: 2026-02-27T20:54:00.476Z

cve-icon NVD

Status : Analyzed

Published: 2026-02-24T23:16:04.830

Modified: 2026-02-26T22:01:44.210

Link: CVE-2026-26351

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-17T15:45:15Z

Weaknesses