CVE-2026-28495

Critical CVSS: 9.6

GetSimple CMS is a content management system. The massiveAdmin plugin (v6.0.3) bundled with GetSimpleCMS-CE v3.3.22 allows an authenticated administrator to overwrite the gsconfig.php configuration file with arbitrary PHP code via the gsconfig editor module. The form lacks CSRF protection, enabling a remote unauthenticated attacker to exploit this via Cross-Site Request Forgery against a logged-in admin, achieving Remote Code Execution (RCE) on the web server.

Vendor

Getsimple-ce

Product

Getsimple Cms

CWE

CWE-352

Yayın Tarihi

2026-03-10 20:16:37

Güncelleme

2026-03-12 18:21:10

Source Identifier

security-advisories@github.com

KEV Date Added

Kategoriler

CWE-352 Getsimple Cms CRITICAL Getsimple-ce 2026

Referanslar

https://github.com/GetSimpleCMS-CE/GetSimpleCMS-CE/security/advisories/GHSA-92wv-q2jp-qg88

Benzer Kayıtlar

Medium

CVE-2026-26351

GetSimpleCMS Community Edition (CE) version 3.3.16 contains a stored cross-site scripting (XSS) vulnerability in the The…

High

CVE-2026-27202

GetSimple CMS is a content management system. All versions of GetSimple CMS have a flaw in the Uploaded Files feature th…

High

CVE-2026-27146

GetSimple CMS is a content management system. All versions of GetSimple CMS do not implement CSRF protection on the admi…

Medium

CVE-2026-27147

GetSimple CMS is a content management system. All versions of GetSimple CMS are vulnerable to XSS through SVG file uploa…

High

CVE-2026-27161

GetSimple CMS is a content management system. All versions of GetSimple CMS rely on .htaccess files to restrict access t…

High

CVE-2025-48492

GetSimple CMS is a content management system. In versions starting from 3.3.16 to 3.3.21, an authenticated user with acc…