Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
6.9
GetSimple CMS Allows Attackers to Inject Malicious Code via SVG Files
CVE-2026-27147
Summary
GetSimple CMS versions all have a security issue with uploaded SVG files. This means an authenticated user can upload a malicious file that can harm your website. Update to a fixed version of the software as soon as possible.
What to do
No fix is available yet. Check with your software vendor for updates.
Affected software
| Vendor | Product | Affected versions | Fix available |
|---|---|---|---|
| getsimple-ce | getsimple_cms | <= 3.3.22 | – |
Original title
GetSimple CMS is a content management system. All versions of GetSimple CMS are vulnerable to XSS through SVG file uploads. Authenticated users can upload SVG files via the administrative upload fu...
Original description
GetSimple CMS is a content management system. All versions of GetSimple CMS are vulnerable to XSS through SVG file uploads. Authenticated users can upload SVG files via the administrative upload functionality, but they are not properly sanitized or restricted, allowing an attacker to embed malicious JavaScript. When the uploaded SVG file is accessed, the script executes in the browser. This issue does not have a fix at the time of publication.
nvd CVSS3.1
5.4
nvd CVSS4.0
6.9
Vulnerability type
CWE-79
Cross-site Scripting (XSS)
- https://github.com/GetSimpleCMS-CE/GetSimpleCMS-CE/security/advisories/GHSA-5gmq... Exploit Mitigation Vendor Advisory
Published: 21 Feb 2026 · Updated: 12 Mar 2026 · First seen: 6 Mar 2026