CVE-2026-5203
Received Received - Intake
Path Traversal in CMS Made Simple UserGuide Module Allows Remote Exploit

Publication date: 2026-03-31

Last updated on: 2026-04-29

Assigner: VulDB

Description
A vulnerability was found in CMS Made Simple up to 2.2.22. This impacts the function _copyFilesToFolder in the library modules/UserGuide/lib/class.UserGuideImporterExporter.php of the component UserGuide Module XML Import. The manipulation results in path traversal. It is possible to launch the attack remotely. The exploit has been made public and could be used. This issue has been reported early to the project. They confirmed, that "this has already been discovered and fixed for the next release."
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-03-31
Last Modified
2026-04-29
Generated
2026-06-16
AI Q&A
2026-03-31
EPSS Evaluated
2026-06-15
NVD
CVE-2026-5203
EUVD
EUVD-2026-17508
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
cms_made_simple cms_made_simple to 2.2.22 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-22 The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability exists in CMS Made Simple up to version 2.2.22, specifically in the function _copyFilesToFolder within the UserGuide Module XML Import component. It allows an attacker to perform a path traversal attack by manipulating the function, which can be exploited remotely.

The issue was reported early and has been confirmed as fixed in the next release of the software.

Impact Analysis

The vulnerability allows remote attackers to manipulate file paths, potentially accessing or overwriting files outside the intended directory. This can lead to unauthorized access to sensitive files, data leakage, or modification of critical files within the system.

Mitigation Strategies

The vulnerability has been confirmed and fixed in the next release of CMS Made Simple. Immediate mitigation steps include updating the CMS Made Simple installation to the latest version once it is available.

Since the vulnerability allows remote path traversal via the UserGuide Module XML Import component, restricting access to this module or disabling it temporarily could reduce risk until the patch is applied.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-5203. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart