CVE-2026-11975 | THREATINT

Description

Stored cross-site scripting (XSS) in NewsItemApiController In SimplCommerce prior to commit 6142d3b5 allows an authenticated administrator to execute arbitrary JavaScript via the ShortContent and FullContent fields, which are stored without HTML sanitization and rendered unencoded via @Html.Raw()

PUBLISHED Reserved 2026-06-11 | Published 2026-06-17 | Updated 2026-06-17 | Assigner Checkmarx

MEDIUM: 6.2CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:N/VI:L/VA:N/SC:H/SI:H/SA:N

Problem types

CWE-79 Improper neutralization of input during web page generation ('cross-site scripting')

Product status

Default status

affected

Any version before 6142d3b5

affected

References

github.com/simplcommerce/SimplCommerce/pull/1151

github.com/...ommit/6142d3b5147899e0edb41663ae20183878ab39f7 patch

cve.org (CVE-2026-11975)

nvd.nist.gov (CVE-2026-11975)

Download JSON