CVE-2026-6184

Vulnerability

Overview

A stored cross-site scripting (XSS) vulnerability has been identified in code-projects Simple Content Management System 1.0. The vulnerability resides in the /web/admin/welcome.php file, specifically within the News Title input field. The application fails to sanitize user-supplied input before storing it in the database and later reflecting it on the public index page (/web/index.php). This flaw is classified under CWE-79 (Improper Neutralization of Input During Web Page Generation) [1].

Exploitation

Details

Exploitation requires an authenticated admin-level user to access the admin panel and navigate to the Add News functionality. The attacker can then inject a malicious script, such as ``, into the News Title field. Once submitted, the payload is stored in the database. Any visitor—including unauthenticated users—who browses the public index page will trigger the stored script, executing it in their browser context [1].

Impact

Successful exploitation allows an attacker to steal session cookies from any user viewing the public index page. This can lead to full session hijacking and account takeover, including administrator accounts. The impact is amplified because the trigger page is public and requires no authentication, meaning any site visitor is a potential victim [1].

Mitigation

Status

As of the publication date (2026-04-13), no official patch has been released by the vendor. The exploit has been publicly disclosed and a proof-of-concept is available. Users are advised to implement input sanitization and output encoding for the News Title field, or restrict access to the admin panel until a vendor fix is provided [1][2].