PatchSiren cyber security CVE debrief
CVE-2026-26351 GetSimpleCMS-CE CVE debrief
CVE-2026-26351 is a stored cross-site scripting (XSS) vulnerability affecting GetSimpleCMS Community Edition (CE) versions prior to 3.3.22. The vulnerability exists in the Theme to Components functionality within components.php, where user-supplied input provided to the 'slug' field of a component is stored without proper output encoding. Authenticated administrators can inject malicious script content that executes whenever the affected Components page is viewed by any authenticated user, enabling session hijacking, unauthorized administrative actions, and persistent compromise of the CMS administrative interface. The vulnerability has a CVSS score of 4.8 and is considered Medium severity.
- Vendor
- GetSimpleCMS-CE
- Product
- Unknown
- CVSS
- MEDIUM 4.8
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-02-24
- Original CVE updated
- 2026-07-14
- Advisory published
- 2026-02-24
- Advisory updated
- 2026-07-14
Who should care
Authenticated administrators of GetSimpleCMS Community Edition (CE) versions prior to 3.3.22 should be aware of this vulnerability, as it allows for the injection of malicious script content that can execute whenever the affected Components page is viewed by any authenticated user.
Technical summary
The vulnerability exists due to improper output encoding of user-supplied input provided to the 'slug' field of a component in components.php. While other fields are sanitized using safe_slash_html(), the slug parameter is written to XML and later rendered in the administrative interface without sanitation, resulting in persistent execution of arbitrary JavaScript. This allows an authenticated administrator to inject malicious script content that can execute whenever the affected Components page is viewed by any authenticated user.
Defensive priority
Medium priority, as the vulnerability requires authentication and has a CVSS score of 4.8.
Recommended defensive actions
- Inventory and verify affected GetSimpleCMS Community Edition (CE) versions prior to 3.3.22.
- Apply the vendor-provided patch by upgrading to version 3.3.22 or later.
- Implement compensating controls, such as web application firewalls (WAFs) or intrusion detection systems (IDS), to detect and prevent exploitation.
- Monitor for suspicious activity and implement exception tracking to detect potential exploitation attempts.
- Consider implementing additional security measures, such as input validation and output encoding, to prevent similar vulnerabilities.
Evidence notes
The CVE record was published on 2026-02-24T23:16:04.830Z and was last modified on 2026-07-14T19:16:51.993Z. The NVD entry is currently Modified. The vulnerability affects GetSimpleCMS Community Edition (CE) versions prior to 3.3.22. The Theme to Components functionality within components.php is the affected component. The 'slug' field of a component is the specific input that is stored without proper output encoding.
Official resources
-
CVE-2026-26351 CVE record
CVE.org
-
CVE-2026-26351 NVD detail
NVD
-
Source item URL
nvd_modified
-
Source reference
[email protected] - Product
-
Mitigation or vendor reference
[email protected] - Product, Release Notes
-
Source reference
[email protected] - Broken Link
-
Mitigation or vendor reference
[email protected] - Third Party Advisory
AI-assisted PatchSiren debrief based on the supplied source corpus. The CVE record was published on 2026-02-24T23:16:04.830Z and has not been modified since then. The NVD entry is currently Modified.