CVE-2026-27147

GetSimple CMS: Stored Cross-Site Scripting (XSS) via SVG File Upload (Authenticated)

CVSS 6.9 MEDIUMEPSS 0.2%CWE-79

Vexday Risk Score

13Low

SSVC decision (CISA)

Track

No exploitation signal → monitor

CVSS 6.9EPSS 0.2%KEV nãoPoC —Nuclei —Metasploit —Patch —

Lifecycle

20 Feb 2026Published on NVD

Recommendation: Monitor — no exploitation signal at the moment.

GetSimple CMS is a content management system. All versions of GetSimple CMS are vulnerable to XSS through SVG file uploads. Authenticated users can upload SVG files via the administrative upload functionality, but they are not properly sanitized or restricted, allowing an attacker to embed malicious JavaScript. When the uploaded SVG file is accessed, the script executes in the browser. This issue does not have a fix at the time of publication.

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N

Affected products

GetSimpleCMS-CE · GetSimpleCMS-CE

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →

References

https://github.com/GetSimpleCMS-CE/GetSimpleCMS-CE/security/advisories/GHSA-5gmq-hrcx-6w45