CVE-2026-27147
MEDIUMGetSimple CMS < 3.3.22 - Authenticated Stored Cross-Site Scripting via SVG File Upload
Title source: llmDescription
GetSimple CMS is a content management system. All versions of GetSimple CMS are vulnerable to XSS through SVG file uploads. Authenticated users can upload SVG files via the administrative upload functionality, but they are not properly sanitized or restricted, allowing an attacker to embed malicious JavaScript. When the uploaded SVG file is accessed, the script executes in the browser. This issue does not have a fix at the time of publication.
References (1)
Core 1
Core References
Vendor Advisory x_refsource_confirm
https://github.com/GetSimpleCMS-CE/GetSimpleCMS-CE/security/advisories/GHSA-5gmq-hrcx-6w45
Scores
CVSS v3
5.4
EPSS
0.0020
EPSS Percentile
9.6%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
CISA SSVC
Vulnrichment
Exploitation
poc
Automatable
no
Technical Impact
partial
Details
CWE
CWE-79
Status
published
Products (1)
getsimple-ce/getsimple_cms
< 3.3.22
Published
Feb 21, 2026
Tracked Since
Feb 21, 2026