Vulnerability Description
GetSimpleCMS Community Edition (CE) version 3.3.16 contains a stored cross-site scripting (XSS) vulnerability in the Theme to Components functionality within components.php. User-supplied input provided to the "slug" field of a component is stored without proper output encoding. While other fields are sanitized using safe_slash_html(), the slug parameter is written to XML and later rendered in the administrative interface without sanitation, resulting in persistent execution of arbitrary JavaScript. An authenticated administrator can inject malicious script content that executes whenever the affected Components page is viewed by any authenticated user, enabling session hijacking, unauthorized administrative actions, and persistent compromise of the CMS administrative interface.
CVSS Score
MEDIUM
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Getsimple-Ce | Getsimple Cms | >= 3.3.16, < 3.3.22 |
Related Weaknesses (CWE)
References
- https://getsimple-ce.ovh/Product
- https://github.com/GetSimpleCMS-CE/GetSimpleCMS-CE/releases/tag/v3.3.22ProductRelease Notes
- https://github.com/GetSimpleCMS-CE/GetSimpleCMS-CE/security/advisories/GHSA-95f7Broken Link
- https://www.vulncheck.com/advisories/getsimplecms-ce-stored-xss-via-components-pThird Party Advisory
FAQ
What is CVE-2026-26351?
CVE-2026-26351 is a vulnerability with a CVSS score of 4.8 (MEDIUM). GetSimpleCMS Community Edition (CE) version 3.3.16 contains a stored cross-site scripting (XSS) vulnerability in the Theme to Components functionality within components.php. User-supplied input provid...
How severe is CVE-2026-26351?
CVE-2026-26351 has been rated MEDIUM with a CVSS base score of 4.8/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2026-26351?
Check the references section above for vendor advisories and patch information. Affected products include: Getsimple-Ce Getsimple Cms.