Getsimplecms Ce
CVEs (46)
| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2020-21353 | Med | 0.35 | 5.4 | 0.01 | Aug 6, 2021 | A stored cross site scripting (XSS) vulnerability in /admin/snippets.php of GetSimple CMS 3.4.0a allows attackers to execute arbitrary web scripts or HTML via crafted payload in the Edit Snippets module. | ||
| CVE-2020-20391 | Med | 0.35 | 5.4 | 0.01 | Jun 23, 2021 | Cross Site Scripting vulnerability in GetSimpleCMS 3.4.0a in admin/snippets.php via (1) Add Snippet and (2) Save snippets. | ||
| CVE-2019-16333 | Med | 0.35 | 5.4 | 0.01 | Sep 15, 2019 | GetSimple CMS v3.3.15 has Persistent Cross-Site Scripting (XSS) in admin/theme-edit.php. | ||
| CVE-2018-19845 | Med | 0.35 | 5.4 | 0.01 | Dec 31, 2018 | There is Stored XSS in GetSimple CMS 3.3.12 via the admin/edit.php "post-menu" parameter, a related issue to CVE-2018-16325. | ||
| CVE-2014-8723 | Med | 0.35 | 5.3 | 0.01 | Mar 17, 2017 | GetSimple CMS 3.3.4 allows remote attackers to obtain sensitive information via a direct request to (1) plugins/anonymous_data.php or (2) plugins/InnovationPlugin.php, which reveals the installation path in an error message. | ||
| CVE-2026-26351 | Med | 0.31 | 4.8 | 0.00 | Feb 24, 2026 | GetSimpleCMS Community Edition (CE) versions prior to 3.3.22 (3.3.16 tested) contains a stored cross-site scripting (XSS) vulnerability in the Theme to Components functionality within components.php. User-supplied input provided to the "slug" field of a component is stored… | ||
| CVE-2023-6188 | Med | 0.31 | 4.7 | 0.01 | Nov 17, 2023 | A vulnerability was found in GetSimpleCMS 3.3.16/3.4.0a. It has been rated as critical. This issue affects some unknown processing of the file /admin/theme-edit.php. The manipulation leads to code injection. The attack may be initiated remotely. The exploit has been disclosed to… | ||
| CVE-2020-20389 | Med | 0.31 | 4.8 | 0.01 | Jun 23, 2021 | Cross Site Scripting (XSS) vulnerability in GetSimpleCMS 3.4.0a in admin/edit.php. | ||
| CVE-2021-28977 | Med | 0.31 | 4.8 | 0.01 | Jun 23, 2021 | Cross Site Scripting vulnerability in GetSimpleCMS 3.3.16 in admin/upload.php by adding comments or jpg and other file header information to the content of xla, pages, and gzip files, | ||
| CVE-2018-15843 | Med | 0.31 | 4.8 | 0.01 | Aug 25, 2018 | GetSimple CMS 3.3.14 has XSS via the admin/edit.php "Add New Page" field. | ||
| CVE-2018-19421 | Low | 0.25 | 3.8 | 0.01 | Nov 21, 2018 | In GetSimpleCMS 3.3.15, admin/upload.php blocks .html uploads but Internet Explorer render HTML elements in a .eml file, because of admin/upload-uploadify.php, and validate_safe_file in admin/inc/security_functions.php. | ||
| CVE-2018-19420 | Low | 0.25 | 3.8 | 0.01 | Nov 21, 2018 | In GetSimpleCMS 3.3.15, admin/upload.php blocks .html uploads but there are several alternative cases in which HTML can be executed, such as a file with no extension or an unrecognized extension (e.g., the test or test.asdf filename), because of admin/upload-uploadify.php, and… | ||
| CVE-2013-10032 | 0.09 | — | 0.02 | Jul 25, 2025 | An authenticated remote code execution vulnerability exists in GetSimpleCMS version 3.2.1. The application’s upload.php endpoint allows authenticated users to upload arbitrary files without proper validation of MIME types or extensions. By uploading a .pht file containing PHP… | |||
| CVE-2026-28495 | 0.00 | — | 0.00 | Mar 10, 2026 | GetSimple CMS is a content management system. The massiveAdmin plugin (v6.0.3) bundled with GetSimpleCMS-CE v3.3.22 allows an authenticated administrator to overwrite the gsconfig.php configuration file with arbitrary PHP code via the gsconfig editor module. The form lacks CSRF… | |||
| CVE-2026-27202 | 0.00 | — | 0.01 | Feb 20, 2026 | GetSimple CMS is a content management system. All versions of GetSimple CMS have a flaw in the Uploaded Files feature that allows for arbitrary file reads. This issue has not been fixed at the time of publication. | |||
| CVE-2026-27161 | 0.00 | — | 0.00 | Feb 20, 2026 | GetSimple CMS is a content management system. All versions of GetSimple CMS rely on .htaccess files to restrict access to sensitive directories such as /data/ and /backups/. If Apache AllowOverride is disabled (common in hardened or shared hosting environments), these… | |||
| CVE-2026-27147 | 0.00 | — | 0.00 | Feb 20, 2026 | GetSimple CMS is a content management system. All versions of GetSimple CMS are vulnerable to XSS through SVG file uploads. Authenticated users can upload SVG files via the administrative upload functionality, but they are not properly sanitized or restricted, allowing an… | |||
| CVE-2026-27146 | 0.00 | — | 0.00 | Feb 20, 2026 | GetSimple CMS is a content management system. All versions of GetSimple CMS do not implement CSRF protection on the administrative file upload endpoint. As a result, an attacker can craft a malicious web page that silently triggers a file upload request from an authenticated… | |||
| CVE-2021-47860 | 0.00 | — | 0.00 | Jan 21, 2026 | GetSimple CMS Custom JS 0.1 plugin contains a cross-site request forgery vulnerability that allows unauthenticated attackers to inject arbitrary client-side code into administrator browsers. Attackers can craft a malicious website that triggers a cross-site scripting payload to… | |||
| CVE-2021-47830 | 0.00 | — | 0.00 | Jan 21, 2026 | GetSimple CMS My SMTP Contact Plugin 1.1.1 contains a cross-site request forgery (CSRF) vulnerability. Attackers can craft a malicious webpage that, when visited by an authenticated administrator, can change SMTP configuration settings in the plugin. This may allow unauthorized… |
- risk 0.35cvss 5.4epss 0.01
A stored cross site scripting (XSS) vulnerability in /admin/snippets.php of GetSimple CMS 3.4.0a allows attackers to execute arbitrary web scripts or HTML via crafted payload in the Edit Snippets module.
- risk 0.35cvss 5.4epss 0.01
Cross Site Scripting vulnerability in GetSimpleCMS 3.4.0a in admin/snippets.php via (1) Add Snippet and (2) Save snippets.
- risk 0.35cvss 5.4epss 0.01
GetSimple CMS v3.3.15 has Persistent Cross-Site Scripting (XSS) in admin/theme-edit.php.
- risk 0.35cvss 5.4epss 0.01
There is Stored XSS in GetSimple CMS 3.3.12 via the admin/edit.php "post-menu" parameter, a related issue to CVE-2018-16325.
- risk 0.35cvss 5.3epss 0.01
GetSimple CMS 3.3.4 allows remote attackers to obtain sensitive information via a direct request to (1) plugins/anonymous_data.php or (2) plugins/InnovationPlugin.php, which reveals the installation path in an error message.
- risk 0.31cvss 4.8epss 0.00
GetSimpleCMS Community Edition (CE) versions prior to 3.3.22 (3.3.16 tested) contains a stored cross-site scripting (XSS) vulnerability in the Theme to Components functionality within components.php. User-supplied input provided to the "slug" field of a component is stored…
- risk 0.31cvss 4.7epss 0.01
A vulnerability was found in GetSimpleCMS 3.3.16/3.4.0a. It has been rated as critical. This issue affects some unknown processing of the file /admin/theme-edit.php. The manipulation leads to code injection. The attack may be initiated remotely. The exploit has been disclosed to…
- risk 0.31cvss 4.8epss 0.01
Cross Site Scripting (XSS) vulnerability in GetSimpleCMS 3.4.0a in admin/edit.php.
- risk 0.31cvss 4.8epss 0.01
Cross Site Scripting vulnerability in GetSimpleCMS 3.3.16 in admin/upload.php by adding comments or jpg and other file header information to the content of xla, pages, and gzip files,
- risk 0.31cvss 4.8epss 0.01
GetSimple CMS 3.3.14 has XSS via the admin/edit.php "Add New Page" field.
- risk 0.25cvss 3.8epss 0.01
In GetSimpleCMS 3.3.15, admin/upload.php blocks .html uploads but Internet Explorer render HTML elements in a .eml file, because of admin/upload-uploadify.php, and validate_safe_file in admin/inc/security_functions.php.
- risk 0.25cvss 3.8epss 0.01
In GetSimpleCMS 3.3.15, admin/upload.php blocks .html uploads but there are several alternative cases in which HTML can be executed, such as a file with no extension or an unrecognized extension (e.g., the test or test.asdf filename), because of admin/upload-uploadify.php, and…
- CVE-2013-10032Jul 25, 2025risk 0.09cvss —epss 0.02
An authenticated remote code execution vulnerability exists in GetSimpleCMS version 3.2.1. The application’s upload.php endpoint allows authenticated users to upload arbitrary files without proper validation of MIME types or extensions. By uploading a .pht file containing PHP…
- CVE-2026-28495Mar 10, 2026risk 0.00cvss —epss 0.00
GetSimple CMS is a content management system. The massiveAdmin plugin (v6.0.3) bundled with GetSimpleCMS-CE v3.3.22 allows an authenticated administrator to overwrite the gsconfig.php configuration file with arbitrary PHP code via the gsconfig editor module. The form lacks CSRF…
- CVE-2026-27202Feb 20, 2026risk 0.00cvss —epss 0.01
GetSimple CMS is a content management system. All versions of GetSimple CMS have a flaw in the Uploaded Files feature that allows for arbitrary file reads. This issue has not been fixed at the time of publication.
- CVE-2026-27161Feb 20, 2026risk 0.00cvss —epss 0.00
GetSimple CMS is a content management system. All versions of GetSimple CMS rely on .htaccess files to restrict access to sensitive directories such as /data/ and /backups/. If Apache AllowOverride is disabled (common in hardened or shared hosting environments), these…
- CVE-2026-27147Feb 20, 2026risk 0.00cvss —epss 0.00
GetSimple CMS is a content management system. All versions of GetSimple CMS are vulnerable to XSS through SVG file uploads. Authenticated users can upload SVG files via the administrative upload functionality, but they are not properly sanitized or restricted, allowing an…
- CVE-2026-27146Feb 20, 2026risk 0.00cvss —epss 0.00
GetSimple CMS is a content management system. All versions of GetSimple CMS do not implement CSRF protection on the administrative file upload endpoint. As a result, an attacker can craft a malicious web page that silently triggers a file upload request from an authenticated…
- CVE-2021-47860Jan 21, 2026risk 0.00cvss —epss 0.00
GetSimple CMS Custom JS 0.1 plugin contains a cross-site request forgery vulnerability that allows unauthenticated attackers to inject arbitrary client-side code into administrator browsers. Attackers can craft a malicious website that triggers a cross-site scripting payload to…
- CVE-2021-47830Jan 21, 2026risk 0.00cvss —epss 0.00
GetSimple CMS My SMTP Contact Plugin 1.1.1 contains a cross-site request forgery (CSRF) vulnerability. Attackers can craft a malicious webpage that, when visited by an authenticated administrator, can change SMTP configuration settings in the plugin. This may allow unauthorized…
Page 2 of 3