CVE-2026-6184 - Vulnerability Details

- code-projects Simple Content Management System welcome.php cross site scripting

Description

A weakness has been identified in code-projects Simple Content Management System 1.0. This affects an unknown part of the file /web/admin/welcome.php. Executing a manipulation of the argument News Title can lead to cross site scripting. The attack can be executed remotely. The exploit has been made available to the public and could be used for attacks.

Published: 2026-04-13

Score: 4.8 Medium

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

A stored cross‑site scripting flaw resides in the /web/admin/welcome.php file of Simple Content Management System 1.0. By manipulating the News Title argument, an attacker can inject arbitrary JavaScript that executes in the browsers of users who view the affected content. This can lead to session hijacking, defacement, or theft of sensitive information. The weakness is a classic input‑validation error mapped to CWE‑79 and also involves code injection aspects corresponding to CWE‑94. The primary impact is a compromise of confidentiality and integrity for anyone who loads the malicious page.

Affected Systems

The vulnerability affects installations of code‑projects Simple Content Management System version 1.0. No specific build or configuration details beyond the presence of the /web/admin/welcome.php page are provided, so any deployment of this version that allows editing of the News Title field is potentially vulnerable.

Risk and Exploitability

The CVSS base score is 4.8, indicating a moderate severity. Exploit confidence data (EPSS) is unavailable, and the vulnerability is not listed in the CISA KEV catalog. The description indicates that the exploit is publicly available and can be launched remotely by sending a crafted request that modifies the News Title parameter. Given the mode of exploitation (stored XSS) and the public availability of the exploit code, the risk to affected systems is significant, especially when rendered pages are accessed by untrusted users.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

code-projects

Simple Content Management System

affected

Version	Status	Constraints
`1.0`	affected	—

No data.

Vendor Product Confidence Versions

Code-projects

Simple Content Management System

100%

Version	Status	Scheme	Platform
`1.0`	affected	generic	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Check the vendor’s website for an official patch or newer release that removes the flaw in /web/admin/welcome.php.
If a patch is not immediately available, implement input sanitization on the News Title field to escape or strip JavaScript and other executable content.
Restrict who can update the News Title field to authenticated administrators only and enforce role‑based access control.
Regularly scan stored content for unexpected scripts and monitor web traffic for anomalous page loads indicating XSS activity.

Generated by OpenCVE AI on April 13, 2026 at 16:23 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

Attack Vector Network

Attack Complexity Low

Privileges Required High

Attack Requirements None

User Interaction Passive

Vulnerable System Confidentiality Impact None

Vulnerable System Integrity Impact Low

Vulnerable System Availability Impact None

Subsequent System Confidentiality Impact None

Subsequent System Integrity Impact None

Subsequent System Availability Impact None

Attack Vector Network

Attack Complexity Low

Privileges Required High

Scope Unchanged

Confidentiality Impact None

Integrity Impact Low

Availability Impact None

User Interaction Required

Attack Vector Network

Attack Complexity Low

Privileges Required High

Scope Unchanged

Confidentiality Impact None

Integrity Impact Low

Availability Impact None

User Interaction Required

Access Vector Network

Access Complexity Low

Authentication Multiple

Confidentiality Impact None

Integrity Impact Partial

Availability Impact None

This CVE is not in the KEV list.

The EPSS score is 0.00032.

Exploitation poc

Automatable no

Technical Impact partial

References

Link	Providers
https://code-projects.org/
https://github.com/Xmyronn/simple-cms-stored-xss-news-title
https://vuldb.com/submit/797265
https://vuldb.com/vuln/357107
https://vuldb.com/vuln/357107/cti

History

Tue, 14 Apr 2026 16:30:00 +0000

Type	Values Removed	Values Added
First Time appeared		Code-projects Code-projects simple Content Management System
Vendors & Products		Code-projects Code-projects simple Content Management System

Mon, 13 Apr 2026 17:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Mon, 13 Apr 2026 15:30:00 +0000

Type	Values Removed	Values Added
Description		A weakness has been identified in code-projects Simple Content Management System 1.0. This affects an unknown part of the file /web/admin/welcome.php. Executing a manipulation of the argument News Title can lead to cross site scripting. The attack can be executed remotely. The exploit has been made available to the public and could be used for attacks.
Title		code-projects Simple Content Management System welcome.php cross site scripting
Weaknesses		CWE-79 CWE-94
References		https://code-projects.org/ https://github.com/Xmyronn/simple-cms-stored-xss-news-title https://vuldb.com/submit/797265 https://vuldb.com/vuln/357107 https://vuldb.com/vuln/357107/cti
Metrics		cvssV2_0 `{'score': 3.3, 'vector': 'AV:N/AC:L/Au:M/C:N/I:P/A:N/E:POC/RL:ND/RC:UR'}` cvssV3_0 `{'score': 2.4, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:H/UI:R/S:U/C:N/I:L/A:N/E:P/RL:X/RC:R'}` cvssV3_1 `{'score': 2.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:N/I:L/A:N/E:P/RL:X/RC:R'}` cvssV4_0 `{'score': 4.8, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P'}`

Subscriptions

Code-projects Simple Content Management System

MITRE

Status: PUBLISHED

Assigner: VulDB

Published: 2026-04-13T15:00:21.266Z

Updated: 2026-04-13T17:00:56.914Z

Reserved: 2026-04-13T08:24:43.829Z

Link: CVE-2026-6184

Vulnrichment

Updated: 2026-04-13T17:00:47.425Z

NVD

Status : Deferred

Published: 2026-04-13T16:16:35.257

Modified: 2026-04-29T01:00:01.613

Link: CVE-2026-6184

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-04-14T16:34:14Z

Weaknesses

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required High

Attack Requirements None

User Interaction Passive

Vulnerable System Confidentiality Impact None

Vulnerable System Integrity Impact Low

Vulnerable System Availability Impact None

Subsequent System Confidentiality Impact None

Subsequent System Integrity Impact None

Subsequent System Availability Impact None

Attack Vector Network

Attack Complexity Low

Privileges Required High

Scope Unchanged

Confidentiality Impact None

Integrity Impact Low

Availability Impact None

User Interaction Required

Attack Vector Network

Attack Complexity Low

Privileges Required High

Scope Unchanged

Confidentiality Impact None

Integrity Impact Low

Availability Impact None

User Interaction Required

Access Vector Network

Access Complexity Low

Authentication Multiple

Confidentiality Impact None

Integrity Impact Partial

Availability Impact None

Exploitation poc

Automatable no

Technical Impact partial

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object