Monitor vulnerabilities like this one. Sign up free to get alerted when software you use is affected.
4.8

GetSimpleCMS CE 3.3.16: Stored XSS in Theme to Components

CVE-2026-26351
Summary

A critical security risk exists in GetSimpleCMS Community Edition 3.3.16. An attacker who has administrative access can inject malicious code into the CMS, allowing them to take control of the site and steal user sessions. To protect your site, update to the latest version of GetSimpleCMS as soon as possible.

What to do

No fix is available yet. Check with your software vendor for updates.

Affected software
VendorProductAffected versionsFix available
getsimple-ce getsimple_cms > 3.3.16 , <= 3.3.22 –
Original title
GetSimpleCMS Community Edition (CE) version 3.3.16 contains a stored cross-site scripting (XSS) vulnerability in the Theme to Components functionality within components.php. User-supplied input pro...
Original description
GetSimpleCMS Community Edition (CE) version 3.3.16 contains a stored cross-site scripting (XSS) vulnerability in the Theme to Components functionality within components.php. User-supplied input provided to the "slug" field of a component is stored without proper output encoding. While other fields are sanitized using safe_slash_html(), the slug parameter is written to XML and later rendered in the administrative interface without sanitation, resulting in persistent execution of arbitrary JavaScript. An authenticated administrator can inject malicious script content that executes whenever the affected Components page is viewed by any authenticated user, enabling session hijacking, unauthorized administrative actions, and persistent compromise of the CMS administrative interface.
nvd CVSS3.1 4.8
nvd CVSS4.0 4.8
Vulnerability type
CWE-79 Cross-site Scripting (XSS)
Published: 24 Feb 2026 · Updated: 12 Mar 2026 · First seen: 6 Mar 2026