CVE-2026-27147 | THREATINT

Description

GetSimple CMS is a content management system. All versions of GetSimple CMS are vulnerable to XSS through SVG file uploads. Authenticated users can upload SVG files via the administrative upload functionality, but they are not properly sanitized or restricted, allowing an attacker to embed malicious JavaScript. When the uploaded SVG file is accessed, the script executes in the browser. This issue does not have a fix at the time of publication.

PUBLISHED Reserved 2026-02-18 | Published 2026-02-20 | Updated 2026-02-20 | Assigner GitHub_M

MEDIUM: 6.9CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N

Problem types

CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Product status

<= 3.3.22

affected

References

github.com/...CMS-CE/security/advisories/GHSA-5gmq-hrcx-6w45

cve.org (CVE-2026-27147)

nvd.nist.gov (CVE-2026-27147)

Download JSON