CVE-2026-27146
Received Received - Intake
CSRF Vulnerability in GetSimple CMS Allows Arbitrary File Upload

Publication date: 2026-02-21

Last updated on: 2026-02-24

Assigner: GitHub, Inc.

Description
GetSimple CMS is a content management system. All versions of GetSimple CMS do not implement CSRF protection on the administrative file upload endpoint. As a result, an attacker can craft a malicious web page that silently triggers a file upload request from an authenticated victim’s browser. The request is accepted without requiring a CSRF token or origin validation. This allows an attacker to upload arbitrary files to the application without the victim’s knowledge or consent. In order to exploit this vulnerability, the victim must be authenticated to GetSimple CMS (e.g., admin user), and visit an attacker-controlled webpage. This issue does not have a fix at the time of publication.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-02-21
Last Modified
2026-02-24
Generated
2026-06-16
AI Q&A
2026-02-21
EPSS Evaluated
2026-06-15
NVD
CVE-2026-27146
EUVD
EUVD-2026-7752
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
getsimple-ce getsimple_cms to 3.3.22 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-352 The web application does not, or cannot, sufficiently verify whether a request was intentionally provided by the user who sent the request, which could have originated from an unauthorized actor.
CWE-434 The product allows the upload or transfer of dangerous file types that are automatically processed within its environment.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

[{'type': 'paragraph', 'content': 'CVE-2026-27146 is a high-severity Cross-Site Request Forgery (CSRF) vulnerability in GetSimple CMS versions up to and including 3.3.22, specifically affecting the administrative file upload endpoint at /admin/upload.php.'}, {'type': 'paragraph', 'content': 'The vulnerability exists because the application does not implement CSRF protection mechanisms such as CSRF tokens or origin validation on this endpoint.'}, {'type': 'paragraph', 'content': "As a result, an attacker can create a malicious webpage that, when visited by an authenticated GetSimple CMS user (such as an admin), silently triggers a file upload request without the user's knowledge or consent."}, {'type': 'paragraph', 'content': 'This request is accepted by the server without requiring any CSRF token or origin check, allowing the attacker to upload arbitrary files to the server.'}] [1]

Impact Analysis

[{'type': 'paragraph', 'content': 'This vulnerability can have several serious impacts:'}, {'type': 'list_item', 'content': "Unauthorized file uploads to the server without the victim's knowledge."}, {'type': 'list_item', 'content': 'Hosting of persistent malicious content on the website.'}, {'type': 'list_item', 'content': 'Abuse of server storage resources.'}, {'type': 'list_item', 'content': 'Potential website defacement.'}, {'type': 'list_item', 'content': 'If combined with insufficient file validation (e.g., allowing SVG files), it can lead to stored Cross-Site Scripting (XSS) attacks without requiring direct user interaction.'}] [1]

Compliance Impact

I don't know

Detection Guidance

[{'type': 'paragraph', 'content': 'This vulnerability can be detected by monitoring for unauthorized or unexpected POST requests to the administrative file upload endpoint /admin/upload.php on GetSimple CMS servers.'}, {'type': 'paragraph', 'content': 'You can look for suspicious file uploads in the /data/uploads/ directory, especially those triggered without explicit user interaction.'}, {'type': 'paragraph', 'content': 'Network detection can involve capturing HTTP traffic and filtering for POST requests to /admin/upload.php that originate from authenticated sessions but are triggered from external or suspicious sources.'}, {'type': 'list_item', 'content': 'Use tools like tcpdump or Wireshark to capture HTTP traffic and filter for POST requests to /admin/upload.php.'}, {'type': 'list_item', 'content': "Example tcpdump command: tcpdump -i eth0 -A 'tcp port 80 and (((ip[2:2] - ((ip[0]&0xf)<<2)) - ((tcp[12]&0xf0)>>2)) != 0)' | grep 'POST /admin/upload.php'"}, {'type': 'list_item', 'content': 'Check web server logs (e.g., access.log) for POST requests to /admin/upload.php that do not include valid CSRF tokens or have suspicious Referer headers.'}, {'type': 'list_item', 'content': "Example grep command: grep 'POST /admin/upload.php' /var/log/apache2/access.log"}, {'type': 'list_item', 'content': 'Inspect the /data/uploads/ directory for recently uploaded files that may be suspicious or unexpected.'}] [1]

Mitigation Strategies

Since no patched versions are available at the time of publication, immediate mitigation steps focus on reducing the risk of exploitation.

  • Restrict access to the administrative interface to trusted IP addresses or VPNs to limit exposure.
  • Implement web application firewall (WAF) rules to block or alert on suspicious POST requests to /admin/upload.php.
  • Educate authenticated users, especially administrators, to avoid visiting untrusted or suspicious websites while logged into the CMS.
  • Manually monitor and review uploaded files in the /data/uploads/ directory for unauthorized content.
  • If possible, implement custom CSRF protections such as validating Origin or Referer headers on the server side as a temporary workaround.
Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-27146. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart