CVE-2026-26351 PUBLISHED

GetSimpleCMS-CE < 3.3.22 Stored XSS via components.php

Assigner: VulnCheck
Reserved: 13.02.2026 Published: 24.02.2026 Updated: 24.02.2026

GetSimpleCMS Community Edition (CE) version 3.3.16 contains a stored cross-site scripting (XSS) vulnerability in the Theme to Components functionality within components.php. User-supplied input provided to the "slug" field of a component is stored without proper output encoding. While other fields are sanitized using safe_slash_html(), the slug parameter is written to XML and later rendered in the administrative interface without sanitation, resulting in persistent execution of arbitrary JavaScript. An authenticated administrator can inject malicious script content that executes whenever the affected Components page is viewed by any authenticated user, enabling session hijacking, unauthorized administrative actions, and persistent compromise of the CMS administrative interface.

Metrics

CVSS 4.0

CVSS Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N
CVSS Score: 4.8

Exploitability Metrics		Vulnerable System Impact Metrics		Subsequent System Impact Metrics
Attack Vector	Network	Confidentiality	None	Confidentiality	Low
Attack Complexity	Low	Integrity	None	Integrity	Low
Attack Requirements	None	Availability	None	Availability	None
Privileges Required	High
User Interaction	Passive

CVSS 4.0

Product Status

Vendor	GetSimpleCMS-CE
Product	GetSimpleCMS-CE
Versions	Default: unknown Version 3.3.16 is affected Version 3.3.22 is unaffected

Solutions

Version 3.3.22 was confirmed to not be vulnerable

Credits

Beatriz Fresno Naumova finder
VulnCheck coordinator

References

Problem Types

CWE-79 Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') CWE