CVE-2026-11975

MEDIUM

Stored Cross-Site Scripting (XSS) in SimplCommerce News Module Admin Interface

Title source: cna

Description

Stored cross-site scripting (XSS) in NewsItemApiController In SimplCommerce prior to commit 6142d3b5 allows an authenticated administrator to execute arbitrary JavaScript via the ShortContent and FullContent fields, which are stored without HTML sanitization and rendered unencoded via @Html.Raw()

References (2)

Core 2

Core References

https://github.com/simplcommerce/SimplCommerce/pull/1151

Patch patch

https://github.com/simplcommerce/SimplCommerce/commit/6142d3b5147899e0edb41663ae20183878ab39f7

View Patch ZIP pw:eip

Scores

CVSS v4 6.2

EPSS 0.0026

EPSS Percentile 16.7%

CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:N/VI:L/VA:N/SC:H/SI:H/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact partial

Details

CWE

CWE-79

Status published

Products (1)

simplcommerce/SimplCommerce < 6142d3b5

Published Jun 17, 2026

Tracked Since Jun 17, 2026