CVE-2026-27147
Stored XSS via Unsanitized SVG Uploads in GetSimple CMS
Publication date: 2026-02-21
Last updated on: 2026-02-24
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| getsimple-ce | getsimple_cms | to 3.3.22 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-79 | The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
[{'type': 'paragraph', 'content': 'CVE-2026-27147 is a stored Cross-Site Scripting (XSS) vulnerability in GetSimple CMS version 3.3.22 and earlier. Authenticated users can upload SVG files through the administrative upload feature, but these SVG files are not properly sanitized or restricted.'}, {'type': 'paragraph', 'content': "Since SVG files can contain embedded JavaScript, an attacker can upload an SVG file with malicious scripts. When the uploaded SVG file is accessed, either through the application or directly via its URL, the embedded JavaScript executes in the victim's browser."}, {'type': 'paragraph', 'content': 'This allows the attacker to perform actions such as executing arbitrary JavaScript within the context of the GetSimple CMS application, potentially leading to unauthorized actions on behalf of other users, phishing, or UI redressing attacks.'}, {'type': 'paragraph', 'content': 'The vulnerability requires only authentication but no elevated privileges, and the malicious payload remains until the file is removed. At the time of the advisory, no fix was available.'}] [1]
How can this vulnerability impact me? :
This vulnerability can impact you by allowing attackers to execute arbitrary JavaScript code within the context of your GetSimple CMS application.
- Unauthorized actions on behalf of other users.
- Phishing attacks by manipulating the user interface.
- UI redressing attacks that can trick users into performing unintended actions.
Because the malicious script is stored in the uploaded SVG file, the risk persists until the file is removed or properly sanitized.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
[{'type': 'paragraph', 'content': 'This vulnerability can be detected by identifying SVG files uploaded via the administrative upload functionality that contain embedded JavaScript code. Since the issue involves stored XSS through SVG uploads, you can look for SVG files containing <script> tags or other JavaScript elements.'}, {'type': 'list_item', 'content': 'Search the upload directories or database for SVG files containing <script> tags or suspicious JavaScript code.'}, {'type': 'list_item', 'content': "Use command-line tools such as grep to scan for <script> tags inside SVG files, for example: grep -r '<script' /path/to/uploads/"}, {'type': 'list_item', 'content': 'Check web server logs for requests to SVG files that might trigger the XSS payload.'}, {'type': 'paragraph', 'content': 'Note that detection requires authenticated access to the administrative upload area to verify uploaded SVG files.'}] [1]
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include preventing the upload or execution of malicious SVG files.
- Disallow SVG file uploads entirely in the administrative upload functionality.
- If SVG uploads are necessary, sanitize SVG files using a strict allowlist-based SVG sanitizer to remove any embedded JavaScript.
- Store uploaded SVG files outside the web root to prevent direct access and execution.
- Remove any previously uploaded SVG files that may contain malicious scripts.
Since no patched versions are available at the time of the advisory, these mitigations are critical to reduce risk.