CVE-2026-26351

GetSimpleCMS Community Edition (CE) versions prior to 3.3.22 (3.3.16 tested) contains a stored cross-site scripting (XSS) vulnerability in the Theme to Components functionality within components.php. User-supplied input provided to the "slug" field of a component is stored without proper output encoding. While other fields are sanitized using safe_slash_html(), the slug parameter is written to XML and later rendered in the administrative interface without sanitation, resulting in persistent execution of arbitrary JavaScript. An authenticated administrator can inject malicious script content that executes whenever the affected Components page is viewed by any authenticated user, enabling session hijacking, unauthorized administrative actions, and persistent compromise of the CMS administrative interface.

CVSS v3 4.8 MEDIUM

4.8^/10

CVSS v3 : MEDIUM

V3 Legend

Vector :

Exploitability : 1.7 / Impact : 2.7

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required HIGH

User Interaction REQUIRED

Confidentiality Impact LOW

Integrity Impact LOW

Availability Impact NONE

Scope CHANGED

References

Link	Resource
https://getsimple-ce.ovh/	Product
https://github.com/GetSimpleCMS-CE/GetSimpleCMS-CE/releases/tag/v3.3.22	Product Release Notes
https://github.com/GetSimpleCMS-CE/GetSimpleCMS-CE/security/advisories/GHSA-95f7-vm92-8gpx	Broken Link
https://www.vulncheck.com/advisories/getsimplecms-ce-stored-xss-via-components-php	Third Party Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:getsimple-ce:getsimple_cms:*:*:*:*:community:*:*:*

History

26 May 2026, 00:16

Type	Values Removed	Values Added
Summary		(es) GetSimpleCMS Community Edition (CE) versión 3.3.16 contiene una vulnerabilidad de cross-site scripting (XSS) almacenada en la funcionalidad Theme to Components dentro de components.PHP. La entrada proporcionada por el usuario al campo 'slug' de un componente se almacena sin una codificación de salida adecuada. Mientras que otros campos son saneados usando safe_slash_html(), el parámetro slug se escribe en XML y luego se renderiza en la interfaz de administración sin saneamiento, lo que resulta en la ejecución persistente de JavaScript arbitrario. Un administrador autenticado puede inyectar contenido de script malicioso que se ejecute cada vez que un usuario autenticado ve la página afectada de Componentes, lo que permite el secuestro de sesión, acciones de administración no autorizadas y el compromiso persistente de la interfaz de administración del CMS.
Summary	(en) GetSimpleCMS Community Edition (CE) version 3.3.16 contains a stored cross-site scripting (XSS) vulnerability in the Theme to Components functionality within components.php. User-supplied input provided to the "slug" field of a component is stored without proper output encoding. While other fields are sanitized using safe_slash_html(), the slug parameter is written to XML and later rendered in the administrative interface without sanitation, resulting in persistent execution of arbitrary JavaScript. An authenticated administrator can inject malicious script content that executes whenever the affected Components page is viewed by any authenticated user, enabling session hijacking, unauthorized administrative actions, and persistent compromise of the CMS administrative interface.	(en) GetSimpleCMS Community Edition (CE) versions prior to 3.3.22 (3.3.16 tested) contains a stored cross-site scripting (XSS) vulnerability in the Theme to Components functionality within components.php. User-supplied input provided to the "slug" field of a component is stored without proper output encoding. While other fields are sanitized using safe_slash_html(), the slug parameter is written to XML and later rendered in the administrative interface without sanitation, resulting in persistent execution of arbitrary JavaScript. An authenticated administrator can inject malicious script content that executes whenever the affected Components page is viewed by any authenticated user, enabling session hijacking, unauthorized administrative actions, and persistent compromise of the CMS administrative interface.

26 Feb 2026, 22:01

Type	Values Removed	Values Added
CPE		cpe:2.3:a:getsimple-ce:getsimple_cms:::::community:::*
CVSS	v2 : ~~unknown~~ v3 : ~~unknown~~	v2 : unknown v3 : 4.8
First Time		Getsimple-ce getsimple Cms Getsimple-ce
References	~~() https://getsimple-ce.ovh/ -~~	() https://getsimple-ce.ovh/ - Product
References	~~() https://github.com/GetSimpleCMS-CE/GetSimpleCMS-CE/releases/tag/v3.3.22 -~~	() https://github.com/GetSimpleCMS-CE/GetSimpleCMS-CE/releases/tag/v3.3.22 - Product, Release Notes
References	~~() https://github.com/GetSimpleCMS-CE/GetSimpleCMS-CE/security/advisories/GHSA-95f7-vm92-8gpx -~~	() https://github.com/GetSimpleCMS-CE/GetSimpleCMS-CE/security/advisories/GHSA-95f7-vm92-8gpx - Broken Link
References	~~() https://www.vulncheck.com/advisories/getsimplecms-ce-stored-xss-via-components-php -~~	() https://www.vulncheck.com/advisories/getsimplecms-ce-stored-xss-via-components-php - Third Party Advisory

24 Feb 2026, 23:16

Type	Values Removed	Values Added
New CVE

Information

Published : 2026-02-24 23:16

Updated : 2026-05-26 00:16

NVD link : CVE-2026-26351

Mitre link : CVE-2026-26351

CVE.ORG link : CVE-2026-26351

JSON object : View

Products Affected

getsimple-ce

getsimple_cms

CWE

CWE-79

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

4.8 /10