CVE-2026-26351

Name of the Vulnerable Software and Affected Versions GetSimpleCMS Community Edition version 3.3.16

Description GetSimpleCMS Community Edition version 3.3.16 has a stored cross-site scripting issue in the Theme to Components functionality within the components.php file. Input to the “slug” field of a component is stored without proper output encoding. The slug parameter is written to XML and rendered in the administrative interface without sanitation, allowing an authenticated administrator to inject malicious script content. This can lead to session hijacking, unauthorized administrative actions, and compromise of the CMS administrative interface when the Components page is viewed by any authenticated user.

Recommendations Update to a newer version that contains a fix for this vulnerability.