CVE-2026-5203
CMS Made Simple UserGuide Module XML Import class.UserGuideImporterExporter.php _copyFilesToFolder path traversal
Vexday Risk Score
33Attention
SSVC decision (CISA)
Attend
PoC available → attend closely
Exploit maturity
Proof of concept
Public proof of concept exists, but not yet automated.
CVSS 5.1EPSS 0.3%KEV nãoPoC públicaNuclei —Metasploit —Patch —
Lifecycle
31 Mar 2026Published on NVD
18 May 2026Public PoC
Weaponization speed
48 daysto first PoC
Recommendation: Plan a near-term fix — a public PoC already exists.
A vulnerability was found in CMS Made Simple up to 2.2.22. This impacts the function _copyFilesToFolder in the library modules/UserGuide/lib/class.UserGuideImporterExporter.php of the component UserGuide Module XML Import. The manipulation results in path traversal. It is possible to launch the attack remotely. The exploit has been made public and could be used. This issue has been reported early to the project. They confirmed, that "this has already been discovered and fixed for the next release."
CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P
Affected products
n/a · CMS Made Simplepublic PoCs found — 2
githubgithub.com/CaginKyr/CVE-2026-5203★ 0cve_referencedrive.proton.me/urls/Q0JHZ339BW#X9P2G3Guwvwaunverified⚠ Public resources, to assess the exposure of systems you control or are authorized to test. Test only with authorization.