PatchSiren cyber security CVE debrief
CVE-2026-38931 creatorsofcode CVE debrief
A stored cross-site scripting (XSS) vulnerability exists in the /admin/config-module.php component of creatorsofcode simplephp, specifically in GitHub commit 5184cff (latest as of 2026-02-27). The vulnerability allows an attacker with low privileges to inject a crafted payload that executes in the context of another user's browser session. The CVSS 3.1 score of 5.4 (MEDIUM) reflects network attack vector, low attack complexity, low privileges required, user interaction required, and changed scope with low impacts to confidentiality and integrity. The vulnerability was published to the CVE List on 2026-05-27 and last modified the same day. The NVD entry currently shows a status of 'Deferred'. The weakness is classified as CWE-79 (Improper Neutralization of Input During Web Page Generation). No known exploitation in the wild or ransomware campaign use has been documented.
- Vendor
- creatorsofcode
- Product
- simplephp
- CVSS
- MEDIUM 5.4
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-05-27
- Original CVE updated
- 2026-05-27
- Advisory published
- 2026-05-27
- Advisory updated
- 2026-05-27
Who should care
Organizations running creatorsofcode simplephp with administrative interfaces exposed; security teams monitoring for XSS vulnerabilities in PHP-based content management or configuration systems; developers maintaining forked versions of simplephp.
Technical summary
The vulnerability is a stored XSS (CWE-79) in the administrative configuration module of simplephp. An attacker with low privileges can inject malicious scripts that persist and execute when other users access the affected page. The attack requires user interaction (e.g., an administrator viewing the compromised configuration) and can affect resources beyond the vulnerable component due to changed scope. No authentication bypass is required, but some level of privilege is necessary to reach the injection point.
Defensive priority
medium
Recommended defensive actions
- Review and restrict access to /admin/config-module.php in simplephp deployments
- Implement input validation and output encoding for all user-supplied data in administrative interfaces
- Apply Content Security Policy (CSP) headers to mitigate XSS impact
- Monitor for patches or updates from the creatorsofcode project
- Conduct code review of commit 5184cff and subsequent commits for security fixes
Evidence notes
The CVE description identifies the vulnerable component as /admin/config-module.php in creatorsofcode simplephp at commit 5184cff. The CVSS vector (CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N) confirms network accessibility with user interaction required. CWE-79 is cited as the weakness type. The NVD status is 'Deferred', indicating the entry may be awaiting additional analysis.
Official resources
The vulnerability was disclosed via MITRE and NVD on 2026-05-27. The affected product appears to be 'simplephp' by 'creatorsofcode', though vendor identification carries low confidence and requires review. The specific vulnerable commit (