{"resultsPerPage":1,"startIndex":0,"totalResults":1,"format":"NVD_CVE","version":"2.0","timestamp":"2026-06-15T15:30:48.054","vulnerabilities":[{"cve":{"id":"CVE-2026-26351","sourceIdentifier":"disclosure@vulncheck.com","published":"2026-02-24T23:16:04.830","lastModified":"2026-05-26T00:16:50.787","vulnStatus":"Modified","cveTags":[],"descriptions":[{"lang":"en","value":"GetSimpleCMS Community Edition (CE) versions prior to 3.3.22 (3.3.16 tested) contains a stored cross-site scripting (XSS) vulnerability in the Theme to Components functionality within components.php. User-supplied input provided to the \"slug\" field of a component is stored without proper output encoding. While other fields are sanitized using safe_slash_html(), the slug parameter is written to XML and later rendered in the administrative interface without sanitation, resulting in persistent execution of arbitrary JavaScript. An authenticated administrator can inject malicious script content that executes whenever the affected Components page is viewed by any authenticated user, enabling session hijacking, unauthorized administrative actions, and persistent compromise of the CMS administrative interface."},{"lang":"es","value":"GetSimpleCMS Community Edition (CE) versión 3.3.16 contiene una vulnerabilidad de cross-site scripting (XSS) almacenada en la funcionalidad Theme to Components dentro de components.PHP. La entrada proporcionada por el usuario al campo 'slug' de un componente se almacena sin una codificación de salida adecuada. Mientras que otros campos son saneados usando safe_slash_html(), el parámetro slug se escribe en XML y luego se renderiza en la interfaz de administración sin saneamiento, lo que resulta en la ejecución persistente de JavaScript arbitrario. Un administrador autenticado puede inyectar contenido de script malicioso que se ejecute cada vez que un usuario autenticado ve la página afectada de Componentes, lo que permite el secuestro de sesión, acciones de administración no autorizadas y el compromiso persistente de la interfaz de administración del CMS."}],"metrics":{"cvssMetricV40":[{"source":"disclosure@vulncheck.com","type":"Secondary","cvssData":{"version":"4.0","vectorString":"CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X","baseScore":4.8,"baseSeverity":"MEDIUM","attackVector":"NETWORK","attackComplexity":"LOW","attackRequirements":"NONE","privilegesRequired":"HIGH","userInteraction":"PASSIVE","vulnConfidentialityImpact":"NONE","vulnIntegrityImpact":"NONE","vulnAvailabilityImpact":"NONE","subConfidentialityImpact":"LOW","subIntegrityImpact":"LOW","subAvailabilityImpact":"NONE","exploitMaturity":"NOT_DEFINED","confidentialityRequirement":"NOT_DEFINED","integrityRequirement":"NOT_DEFINED","availabilityRequirement":"NOT_DEFINED","modifiedAttackVector":"NOT_DEFINED","modifiedAttackComplexity":"NOT_DEFINED","modifiedAttackRequirements":"NOT_DEFINED","modifiedPrivilegesRequired":"NOT_DEFINED","modifiedUserInteraction":"NOT_DEFINED","modifiedVulnConfidentialityImpact":"NOT_DEFINED","modifiedVulnIntegrityImpact":"NOT_DEFINED","modifiedVulnAvailabilityImpact":"NOT_DEFINED","modifiedSubConfidentialityImpact":"NOT_DEFINED","modifiedSubIntegrityImpact":"NOT_DEFINED","modifiedSubAvailabilityImpact":"NOT_DEFINED","Safety":"NOT_DEFINED","Automatable":"NOT_DEFINED","Recovery":"NOT_DEFINED","valueDensity":"NOT_DEFINED","vulnerabilityResponseEffort":"NOT_DEFINED","providerUrgency":"NOT_DEFINED"}}],"cvssMetricV31":[{"source":"nvd@nist.gov","type":"Primary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N","baseScore":4.8,"baseSeverity":"MEDIUM","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"HIGH","userInteraction":"REQUIRED","scope":"CHANGED","confidentialityImpact":"LOW","integrityImpact":"LOW","availabilityImpact":"NONE"},"exploitabilityScore":1.7,"impactScore":2.7}]},"weaknesses":[{"source":"disclosure@vulncheck.com","type":"Secondary","description":[{"lang":"en","value":"CWE-79"}]}],"configurations":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:a:getsimple-ce:getsimple_cms:*:*:*:*:community:*:*:*","versionStartIncluding":"3.3.16","versionEndExcluding":"3.3.22","matchCriteriaId":"B8BDA615-4B42-49F7-9D42-FE2A6750A531"}]}]}],"references":[{"url":"https://getsimple-ce.ovh/","source":"disclosure@vulncheck.com","tags":["Product"]},{"url":"https://github.com/GetSimpleCMS-CE/GetSimpleCMS-CE/releases/tag/v3.3.22","source":"disclosure@vulncheck.com","tags":["Product","Release Notes"]},{"url":"https://github.com/GetSimpleCMS-CE/GetSimpleCMS-CE/security/advisories/GHSA-95f7-vm92-8gpx","source":"disclosure@vulncheck.com","tags":["Broken Link"]},{"url":"https://www.vulncheck.com/advisories/getsimplecms-ce-stored-xss-via-components-php","source":"disclosure@vulncheck.com","tags":["Third Party Advisory"]}]}}]}