CVE-2026-26351

MEDIUM

GetSimpleCMS CE 3.3.16 - Stored XSS

Title source: llm

Description

GetSimpleCMS Community Edition (CE) versions prior to 3.3.22 (3.3.16 tested) contains a stored cross-site scripting (XSS) vulnerability in the Theme to Components functionality within components.php. User-supplied input provided to the "slug" field of a component is stored without proper output encoding. While other fields are sanitized using safe_slash_html(), the slug parameter is written to XML and later rendered in the administrative interface without sanitation, resulting in persistent execution of arbitrary JavaScript. An authenticated administrator can inject malicious script content that executes whenever the affected Components page is viewed by any authenticated user, enabling session hijacking, unauthorized administrative actions, and persistent compromise of the CMS administrative interface.

References (4)

Core 4

Core References

Various Sources product

https://getsimple-ce.ovh/

Vendor Advisory vendor-advisory

https://github.com/GetSimpleCMS-CE/GetSimpleCMS-CE/security/advisories/GHSA-95f7-vm92-8gpx

Release Notes release-notes patch

https://github.com/GetSimpleCMS-CE/GetSimpleCMS-CE/releases/tag/v3.3.22

Third Party Advisory third-party-advisory

https://www.vulncheck.com/advisories/getsimplecms-ce-stored-xss-via-components-php

Scores

CVSS v3 4.8

EPSS 0.0029

EPSS Percentile 21.1%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact partial

Details

CWE

CWE-79

Status published

Products (3)

getsimple-ce/getsimple_cms 3.3.16 - 3.3.22

GetSimpleCMS-CE/GetSimpleCMS-CE 3.3.16

GetSimpleCMS-CE/GetSimpleCMS-CE 3.3.22

Published Feb 24, 2026

Tracked Since Feb 25, 2026