PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-26351 GetSimpleCMS-CE CVE debrief

CVE-2026-26351 is a stored cross-site scripting (XSS) vulnerability affecting GetSimpleCMS Community Edition (CE) versions prior to 3.3.22. The vulnerability exists in the Theme to Components functionality within components.php, where user-supplied input provided to the 'slug' field of a component is stored without proper output encoding. Authenticated administrators can inject malicious script content that executes whenever the affected Components page is viewed by any authenticated user, enabling session hijacking, unauthorized administrative actions, and persistent compromise of the CMS administrative interface. The vulnerability has a CVSS score of 4.8 and is considered Medium severity.

Vendor
GetSimpleCMS-CE
Product
Unknown
CVSS
MEDIUM 4.8
CISA KEV
Not listed in stored evidence
Original CVE published
2026-02-24
Original CVE updated
2026-07-14
Advisory published
2026-02-24
Advisory updated
2026-07-14

Who should care

Authenticated administrators of GetSimpleCMS Community Edition (CE) versions prior to 3.3.22 should be aware of this vulnerability, as it allows for the injection of malicious script content that can execute whenever the affected Components page is viewed by any authenticated user.

Technical summary

The vulnerability exists due to improper output encoding of user-supplied input provided to the 'slug' field of a component in components.php. While other fields are sanitized using safe_slash_html(), the slug parameter is written to XML and later rendered in the administrative interface without sanitation, resulting in persistent execution of arbitrary JavaScript. This allows an authenticated administrator to inject malicious script content that can execute whenever the affected Components page is viewed by any authenticated user.

Defensive priority

Medium priority, as the vulnerability requires authentication and has a CVSS score of 4.8.

Recommended defensive actions

  • Inventory and verify affected GetSimpleCMS Community Edition (CE) versions prior to 3.3.22.
  • Apply the vendor-provided patch by upgrading to version 3.3.22 or later.
  • Implement compensating controls, such as web application firewalls (WAFs) or intrusion detection systems (IDS), to detect and prevent exploitation.
  • Monitor for suspicious activity and implement exception tracking to detect potential exploitation attempts.
  • Consider implementing additional security measures, such as input validation and output encoding, to prevent similar vulnerabilities.

Evidence notes

The CVE record was published on 2026-02-24T23:16:04.830Z and was last modified on 2026-07-14T19:16:51.993Z. The NVD entry is currently Modified. The vulnerability affects GetSimpleCMS Community Edition (CE) versions prior to 3.3.22. The Theme to Components functionality within components.php is the affected component. The 'slug' field of a component is the specific input that is stored without proper output encoding.

Official resources

AI-assisted PatchSiren debrief based on the supplied source corpus. The CVE record was published on 2026-02-24T23:16:04.830Z and has not been modified since then. The NVD entry is currently Modified.