Description
A stored cross-site scripting (XSS) vulnerability in the /admin/config-module.php component of creatorsofcode simplephp GitHub commit 5184cff (Latest as of 2026-02-27) via injecting a crafted payload.
Published: 2026-05-27
Score: 5.4 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability is a stored cross‑site scripting flaw located in the /admin/config-module.php file of the creatorsofcode simplephp application. By submitting a crafted payload through a form that writes configuration data to storage, an attacker can inject arbitrary HTML and JavaScript that are later rendered when a user accesses the admin interface.

Affected Systems

The flaw affects the creatorsofcode simplephp project, specifically the repository identified by commit 5184cff, the latest state of the code as of February 27, 2026. No additional product or version ranges are listed; the issue exists in the current release of the application.

Risk and Exploitability

The EPSS score is not available and the vulnerability is not listed in CISA’s KEV catalog, so the exact likelihood of exploitation is uncertain. The CVSS score of 5.4 indicates moderate severity. The likely attack vector requires an attacker to have access to the administration interface or to supply a malicious configuration value that is subsequently displayed to other users. The attack vector is inferred from the description.

Generated by OpenCVE AI on May 27, 2026 at 23:35 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Replace the vulnerable /admin/config-module.php file with a patched version from the official repository that properly escapes or sanitizes stored input.
  • Implement server‑side input validation to reject or escape any HTML markup before storing configuration data.
  • Deploy a Content Security Policy that restricts the execution of inline scripts on the admin pages to reduce the impact of any remaining XSS.

Generated by OpenCVE AI on May 27, 2026 at 23:35 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Sat, 30 May 2026 23:00:00 +0000

Type Values Removed Values Added
First Time appeared Creatorsofcode
Creatorsofcode simplephp
Vendors & Products Creatorsofcode
Creatorsofcode simplephp

Wed, 27 May 2026 19:30:00 +0000

Type Values Removed Values Added
Weaknesses CWE-79
Metrics cvssV3_1

{'score': 5.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 27 May 2026 16:30:00 +0000

Type Values Removed Values Added
Description A stored cross-site scripting (XSS) vulnerability in the /admin/config-module.php component of creatorsofcode simplephp GitHub commit 5184cff (Latest as of 2026-02-27) via injecting a crafted payload.
References

Subscriptions

Creatorsofcode Simplephp
cve-icon MITRE

Status: PUBLISHED

Assigner: mitre

Published:

Updated: 2026-05-27T18:12:19.522Z

Reserved: 2026-04-06T00:00:00.000Z

Link: CVE-2026-38931

cve-icon Vulnrichment

Updated: 2026-05-27T18:11:39.865Z

cve-icon NVD

Status : Deferred

Published: 2026-05-27T17:16:34.083

Modified: 2026-05-27T20:04:31.980

Link: CVE-2026-38931

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-30T21:22:19Z

Weaknesses
  • CWE-79

    Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')