Unrated severityNVD Advisory· Published Feb 20, 2026· Updated Feb 25, 2026

GetSimple CMS: Stored Cross-Site Scripting (XSS) via SVG File Upload (Authenticated)

CVE-2026-27147

Description

GetSimple CMS is a content management system. All versions of GetSimple CMS are vulnerable to XSS through SVG file uploads. Authenticated users can upload SVG files via the administrative upload functionality, but they are not properly sanitized or restricted, allowing an attacker to embed malicious JavaScript. When the uploaded SVG file is accessed, the script executes in the browser. This issue does not have a fix at the time of publication.

Affected products

Getsimplecms Ce/Getsimplecms Cev5
Range: <= 3.3.22

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

github.com/GetSimpleCMS-CE/GetSimpleCMS-CE/security/advisories/GHSA-5gmq-hrcx-6w45mitrex_refsource_CONFIRM

News mentions

No linked articles in our index yet.

cvss	0.000
epss	0.000
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000