CVE-2026-27147

GetSimple CMS: Stored Cross-Site Scripting (XSS) via SVG File Upload (Authenticated)

CVSS 6.9 MEDIUMEPSS 0.2%CWE-79

Vexday Risk Score

13Bajo

Decisión SSVC (CISA)

Track

Sin señal de explotación → monitorear

CVSS 6.9EPSS 0.2%KEV nãoPoC —Nuclei —Metasploit —Patch —

Ciclo de vida

20 feb 2026Publicada en NVD

Recomendación: Monitorear — sin señal de explotación por ahora.

GetSimple CMS is a content management system. All versions of GetSimple CMS are vulnerable to XSS through SVG file uploads. Authenticated users can upload SVG files via the administrative upload functionality, but they are not properly sanitized or restricted, allowing an attacker to embed malicious JavaScript. When the uploaded SVG file is accessed, the script executes in the browser. This issue does not have a fix at the time of publication.

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N

Productos afectados

GetSimpleCMS-CE · GetSimpleCMS-CE

¿Quieres saber si tu infraestructura está expuesta a esto?

Hablar con TrueHacking →

Referencias

https://github.com/GetSimpleCMS-CE/GetSimpleCMS-CE/security/advisories/GHSA-5gmq-hrcx-6w45