Logo
-

Byte Open Security

(ByteOS Network)

Log In

Sign Up

ByteOS

Security
Vulnerability Details
Registries
Custom Views
Weaknesses
Attack Patterns
Filters & Tools

GetSimpleCMS-CE

Source -

CNA

CNA CVEs -

5

ADP CVEs -

0

CISA CVEs -

0

NVD CVEs -

0
Related CVEsRelated VendorsRelated AssignersReports
5Vulnerabilities found
CVE-2026-27202
Assigner-GitHub, Inc.
ShareView Details
Assigner-GitHub, Inc.
CVSS Score-8.8||HIGH
EPSS-Not Assigned
Published-20 Feb, 2026 | 23:26
Updated-21 Feb, 2026 | 00:16
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
GetSimple CMS: Uploaded Files (feature) Arbitrary File Read Vulnerability

GetSimple CMS is a content management system. All versions of GetSimple CMS have a flaw in the Uploaded Files feature that allows for arbitrary file reads. This issue has not been fixed at the time of publication.

Action-Not Available
Vendor-GetSimpleCMS-CE
Product-GetSimpleCMS-CE
CWE ID-CWE-22
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
CWE ID-CWE-23
Relative Path Traversal
CVE-2026-27161
Assigner-GitHub, Inc.
ShareView Details
Assigner-GitHub, Inc.
CVSS Score-8.7||HIGH
EPSS-Not Assigned
Published-20 Feb, 2026 | 23:19
Updated-21 Feb, 2026 | 00:16
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Unauthenticated Information Disclosure via .htaccess Reliance in Sensitive Directories

GetSimple CMS is a content management system. All versions of GetSimple CMS rely on .htaccess files to restrict access to sensitive directories such as /data/ and /backups/. If Apache AllowOverride is disabled (common in hardened or shared hosting environments), these protections are silently ignored, allowing unauthenticated attackers to list and download sensitive files including authorization.xml, which contains cryptographic salts and API keys. This issue does not have a fix at the time of publication.

Action-Not Available
Vendor-GetSimpleCMS-CE
Product-GetSimpleCMS-CE
CWE ID-CWE-200
Exposure of Sensitive Information to an Unauthorized Actor
CVE-2026-27147
Assigner-GitHub, Inc.
ShareView Details
Assigner-GitHub, Inc.
CVSS Score-6.9||MEDIUM
EPSS-Not Assigned
Published-20 Feb, 2026 | 23:14
Updated-21 Feb, 2026 | 00:16
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
GetSimple CMS: Stored Cross-Site Scripting (XSS) via SVG File Upload (Authenticated)

GetSimple CMS is a content management system. All versions of GetSimple CMS are vulnerable to XSS through SVG file uploads. Authenticated users can upload SVG files via the administrative upload functionality, but they are not properly sanitized or restricted, allowing an attacker to embed malicious JavaScript. When the uploaded SVG file is accessed, the script executes in the browser. This issue does not have a fix at the time of publication.

Action-Not Available
Vendor-GetSimpleCMS-CE
Product-GetSimpleCMS-CE
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2026-27146
Assigner-GitHub, Inc.
ShareView Details
Assigner-GitHub, Inc.
CVSS Score-7.1||HIGH
EPSS-Not Assigned
Published-20 Feb, 2026 | 23:10
Updated-21 Feb, 2026 | 00:16
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
GetSimple CMS: Cross-Site Request Forgery (CSRF) in File Upload Allows Arbitrary Uploads

GetSimple CMS is a content management system. All versions of GetSimple CMS do not implement CSRF protection on the administrative file upload endpoint. As a result, an attacker can craft a malicious web page that silently triggers a file upload request from an authenticated victim’s browser. The request is accepted without requiring a CSRF token or origin validation. This allows an attacker to upload arbitrary files to the application without the victim’s knowledge or consent. In order to exploit this vulnerability, the victim must be authenticated to GetSimple CMS (e.g., admin user), and visit an attacker-controlled webpage. This issue does not have a fix at the time of publication.

Action-Not Available
Vendor-GetSimpleCMS-CE
Product-GetSimpleCMS-CE
CWE ID-CWE-352
Cross-Site Request Forgery (CSRF)
CWE ID-CWE-434
Unrestricted Upload of File with Dangerous Type
CVE-2025-48492
Assigner-GitHub, Inc.
ShareView Details
Assigner-GitHub, Inc.
CVSS Score-8.6||HIGH
EPSS-1.06% / 77.29%
||
7 Day CHG~0.00%
Published-30 May, 2025 | 06:13
Updated-04 Jun, 2025 | 19:56
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
GetSimple CMS RCE in Edit component

GetSimple CMS is a content management system. In versions starting from 3.3.16 to 3.3.21, an authenticated user with access to the Edit component can inject arbitrary PHP into a component file and execute it via a crafted query string, resulting in Remote Code Execution (RCE). This issue is set to be patched in version 3.3.22.

Action-Not Available
Vendor-getsimple-ceGetSimpleCMS-CE
Product-getsimple_cmsGetSimpleCMS-CE
CWE ID-CWE-77
Improper Neutralization of Special Elements used in a Command ('Command Injection')