CVE-2026-27146

Name of the Vulnerable Software and Affected Versions GetSimple CMS (affected versions not specified)

Description GetSimple CMS does not implement CSRF protection on the administrative file upload endpoint. An attacker can craft a malicious web page that silently triggers a file upload request from an authenticated victim’s browser. The request is accepted without requiring a CSRF token or origin validation, allowing an attacker to upload arbitrary files to the application without the victim’s knowledge or consent. To exploit this, the victim must be authenticated to GetSimple CMS and visit an attacker-controlled webpage.

Recommendations At the moment, there is no information about a newer version that contains a fix for this vulnerability.