GetSimpleCMS-CE Stored XSS via components.php (CVE-2026-26351)

Author: Beatriz Fresno Naumova

Date: 24/02/2026

Vendor: GetSimpleCMS-CE

Product: GetSimpleCMS Community Edition

Version Affected: 3.3.16

Fixed Version: 3.3.22

Component: Theme to Components – components.php

CWE: CWE-79 – Improper Neutralization of Input During Web Page Generation (XSS)

Attack Vector: Remote (authenticated administrator required)

Description

GetSimpleCMS-CE version 3.3.16 contains a Stored Cross-Site Scripting (XSS) vulnerability in the Theme to Components functionality within components.php.

User-controlled input supplied to the slug field of a component is stored without proper output encoding. Although other fields are sanitized using safe_slash_html(), the slug parameter is written to XML and later rendered in the administrative interface without sanitization.

This results in persistent execution of arbitrary JavaScript when the affected Components page is viewed.

Impact

Successful exploitation may allow:

Execution of arbitrary JavaScript in the administrative interface
Session hijacking
Unauthorized administrative actions
Persistent compromise of the CMS backend

CVSS Details

CVSS v4.0 Vector:

CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N

Base Score: 4.8 (Medium)

Proof of Concept (PoC)

Steps to Reproduce

Install GetSimpleCMS-CE 3.3.16.
Log in as an administrator.
Navigate to Theme → Components.
Create a new component.
Inject the following payload in the slug field:

<script>alert('XSS')</script>

Save the component.
Revisit the Components page.

The injected JavaScript executes persistently within the administrative interface.

Mitigation

Apply strict context-aware output encoding when rendering user-controlled input.
Sanitize the slug parameter before storing or rendering.
Upgrade to version 3.3.22, which is confirmed not vulnerable.
Consider implementing Content Security Policy (CSP) headers to reduce XSS impact.

Discoverer

Beatriz Fresno Naumova

References

CVE Record: https://www.cve.org/CVERecord?id=CVE-2026-26351
VulnCheck Advisory: https://www.vulncheck.com/advisories/getsimplecms-ce-stored-xss-via-components-php
Vendor Website: https://getsimple-ce.ovh/

PreviousBludit CMS Stored XSS in Post Content (CVE-2026-27742)

Last updated 2 minutes ago

hashtagDescription

hashtagImpact

hashtagCVSS Details

hashtagProof of Concept (PoC)

hashtagSteps to Reproduce

hashtagMitigation

hashtagDiscoverer

hashtagReferences