CVE-2026-38931
Deferred Deferred - Pending Action
Stored XSS in SimplePHP Admin Panel via Admin Config Module

Publication date: 2026-05-27

Last updated on: 2026-05-27

Assigner: MITRE

Description
A stored cross-site scripting (XSS) vulnerability in the /admin/config-module.php component of creatorsofcode simplephp GitHub commit 5184cff (Latest as of 2026-02-27) via injecting a crafted payload.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-05-27
Last Modified
2026-05-27
Generated
2026-06-17
AI Q&A
2026-05-27
EPSS Evaluated
2026-06-15
NVD
CVE-2026-38931
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
creatorsofcode simplephp *
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-79 The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability is a stored cross-site scripting (XSS) issue found in the /admin/config-module.php component of the creatorsofcode simplephp application. It occurs when an attacker injects a crafted payload that gets stored and later executed in the context of the application, potentially affecting users who access the vulnerable component.

Impact Analysis

The stored XSS vulnerability can allow attackers to execute malicious scripts in the browsers of users who visit the affected component. This can lead to unauthorized actions such as stealing session cookies, defacing web content, or performing actions on behalf of the user without their consent.

Compliance Impact

The stored cross-site scripting (XSS) vulnerability in the /admin/config-module.php component of simplephp allows attackers to execute malicious scripts in users' browsers, potentially leading to theft of cookies, sensitive data, or hijacking of administrator accounts.

Such unauthorized access and data exposure could negatively impact compliance with common standards and regulations like GDPR and HIPAA, which require protection of personal and sensitive information against unauthorized access and breaches.

Therefore, exploitation of this vulnerability may result in violations of data protection requirements mandated by these regulations.

Detection Guidance

This vulnerability can be detected by logging into the admin backend of the simplephp application, navigating to the "Analytics Tracker" module, and checking the "Custom Head Tracking Code" field for any injected scripts or suspicious payloads such as <script>alert(666666)</script>.

A practical detection method involves injecting a harmless XSS payload into the module's configuration and then visiting the homepage to see if the script executes, confirming the presence of the vulnerability.

There are no specific network commands provided, but manual inspection of the admin panel configuration fields for injected scripts is recommended.

Mitigation Strategies

Immediate mitigation steps include avoiding the use of the vulnerable "Analytics Tracker" module's "Custom Head Tracking Code" field until a patch is applied.

Administrators should sanitize or remove any suspicious scripts from the module's configuration to prevent stored XSS payloads from executing.

Additionally, restricting access to the admin backend to trusted users and monitoring for unusual activity can help reduce the risk of exploitation.

Applying any available updates or patches from the software maintainers as soon as they are released is also critical.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-38931. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart