# GetSimpleCMS-CE Stored XSS via components.php (CVE-2026-26351)

**Author:** Beatriz Fresno Naumova 

**Date:** 24/02/2026

**Vendor:** GetSimpleCMS-CE

**Product:** GetSimpleCMS Community Edition

**Version Affected:** 3.3.16

**Fixed Version:** 3.3.22

**Component:** Theme to Components – components.php

**CWE:** CWE-79 – Improper Neutralization of Input During Web Page Generation (XSS)

**Attack Vector:** Remote (authenticated administrator required)

### Description

GetSimpleCMS-CE version 3.3.16 contains a Stored Cross-Site Scripting (XSS) vulnerability in the *Theme to Components* functionality within components.php.

User-controlled input supplied to the slug field of a component is stored without proper output encoding. Although other fields are sanitized using safe\_slash\_html(), the slug parameter is written to XML and later rendered in the administrative interface without sanitization.

This results in persistent execution of arbitrary JavaScript when the affected Components page is viewed.

### Impact

Successful exploitation may allow:

* Execution of arbitrary JavaScript in the administrative interface
* Session hijacking
* Unauthorized administrative actions
* Persistent compromise of the CMS backend

### CVSS Details

**CVSS v4.0 Vector:**

`CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N`

**Base Score:** 4.8 (Medium)

### Proof of Concept (PoC)

#### Steps to Reproduce

1. Install GetSimpleCMS-CE 3.3.16.
2. Log in as an administrator.
3. Navigate to Theme → Components.
4. Create a new component.
5. Inject the following payload in the slug field:

`<script>alert('XSS')</script>`

6. Save the component.
7. Revisit the Components page.

The injected JavaScript executes persistently within the administrative interface.

### Mitigation

* Apply strict context-aware output encoding when rendering user-controlled input.
* Sanitize the slug parameter before storing or rendering.
* Upgrade to version 3.3.22, which is confirmed not vulnerable.
* Consider implementing Content Security Policy (CSP) headers to reduce XSS impact.

### Discoverer

* Beatriz Fresno Naumova&#x20;

### References

* **CVE Record:** <https://www.cve.org/CVERecord?id=CVE-2026-26351>
* **VulnCheck Advisory:** <https://www.vulncheck.com/advisories/getsimplecms-ce-stored-xss-via-components-php>
* **Vendor Website:** <https://getsimple-ce.ovh/>


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://beafn28.gitbook.io/beafn28/cve-and-poc/getsimplecms-ce-stored-xss-via-components.php-cve-2026-26351.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.