{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-28495", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-02-27T20:57:47.708Z", "datePublished": "2026-03-10T19:25:00.732Z", "dateUpdated": "2026-03-10T19:51:57.515Z"}, "containers": {"cna": {"title": "GetSimple CMS has CSRF to Remote Code Execution via Arbitrary PHP Write in gsconfig.php", "problemTypes": [{"descriptions": [{"cweId": "CWE-352", "lang": "en", "description": "CWE-352: Cross-Site Request Forgery (CSRF)", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.7, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H", "version": "3.1"}}], "references": [{"name": "https://github.com/GetSimpleCMS-CE/GetSimpleCMS-CE/security/advisories/GHSA-92wv-q2jp-qg88", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/GetSimpleCMS-CE/GetSimpleCMS-CE/security/advisories/GHSA-92wv-q2jp-qg88"}], "affected": [{"vendor": "GetSimpleCMS-CE", "product": "GetSimpleCMS-CE", "versions": [{"version": "<= 3.3.22", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-10T19:25:00.732Z"}, "descriptions": [{"lang": "en", "value": "GetSimple CMS is a content management system. The massiveAdmin plugin (v6.0.3) bundled with GetSimpleCMS-CE v3.3.22 allows an authenticated administrator to overwrite the gsconfig.php configuration file with arbitrary PHP code via the gsconfig editor module. The form lacks CSRF protection, enabling a remote unauthenticated attacker to exploit this via Cross-Site Request Forgery against a logged-in admin, achieving Remote Code Execution (RCE) on the web server."}], "source": {"advisory": "GHSA-92wv-q2jp-qg88", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-03-10T19:50:39.566454Z", "id": "CVE-2026-28495", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-10T19:51:57.515Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-28495", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-03-10T19:50:39.566454Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-10T19:51:52.847Z"}}], "cna": {"title": "GetSimple CMS has CSRF to Remote Code Execution via Arbitrary PHP Write in gsconfig.php", "source": {"advisory": "GHSA-92wv-q2jp-qg88", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "CHANGED", "version": "3.1", "baseScore": 9.7, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}}], "affected": [{"vendor": "GetSimpleCMS-CE", "product": "GetSimpleCMS-CE", "versions": [{"status": "affected", "version": "<= 3.3.22"}]}], "references": [{"url": "https://github.com/GetSimpleCMS-CE/GetSimpleCMS-CE/security/advisories/GHSA-92wv-q2jp-qg88", "name": "https://github.com/GetSimpleCMS-CE/GetSimpleCMS-CE/security/advisories/GHSA-92wv-q2jp-qg88", "tags": ["x_refsource_CONFIRM"]}], "descriptions": [{"lang": "en", "value": "GetSimple CMS is a content management system. The massiveAdmin plugin (v6.0.3) bundled with GetSimpleCMS-CE v3.3.22 allows an authenticated administrator to overwrite the gsconfig.php configuration file with arbitrary PHP code via the gsconfig editor module. The form lacks CSRF protection, enabling a remote unauthenticated attacker to exploit this via Cross-Site Request Forgery against a logged-in admin, achieving Remote Code Execution (RCE) on the web server."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-352", "description": "CWE-352: Cross-Site Request Forgery (CSRF)"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-10T19:25:00.732Z"}}}, "cveMetadata": {"cveId": "CVE-2026-28495", "state": "PUBLISHED", "dateUpdated": "2026-03-10T19:51:57.515Z", "dateReserved": "2026-02-27T20:57:47.708Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-03-10T19:25:00.732Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:getsimple-ce:getsimple_cms:*:*:*:*:community:*:*:*", "matchCriteriaId": "10781A5F-4F78-4068-9876-29EF0A48A372", "versionEndIncluding": "3.3.22", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "GetSimple CMS is a content management system. The massiveAdmin plugin (v6.0.3) bundled with GetSimpleCMS-CE v3.3.22 allows an authenticated administrator to overwrite the gsconfig.php configuration file with arbitrary PHP code via the gsconfig editor module. The form lacks CSRF protection, enabling a remote unauthenticated attacker to exploit this via Cross-Site Request Forgery against a logged-in admin, achieving Remote Code Execution (RCE) on the web server."}, {"lang": "es", "value": "GetSimple CMS es un sistema de gesti\u00f3n de contenido. El plugin massiveAdmin (v6.0.3) incluido con GetSimpleCMS-CE v3.3.22 permite a un administrador autenticado sobrescribir el archivo de configuraci\u00f3n gsconfig.php con c\u00f3digo PHP arbitrario a trav\u00e9s del m\u00f3dulo editor de gsconfig. El formulario carece de protecci\u00f3n CSRF, lo que permite a un atacante remoto no autenticado explotar esto mediante falsificaci\u00f3n de petici\u00f3n en sitios cruzados contra un administrador con sesi\u00f3n iniciada, logrando ejecuci\u00f3n remota de c\u00f3digo (RCE) en el servidor web."}], "id": "CVE-2026-28495", "lastModified": "2026-03-12T18:21:10.780", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.6, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 6.0, "source": "security-advisories@github.com", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2026-03-10T20:16:37.663", "references": [{"source": "security-advisories@github.com", "tags": ["Exploit", "Vendor Advisory"], "url": "https://github.com/GetSimpleCMS-CE/GetSimpleCMS-CE/security/advisories/GHSA-92wv-q2jp-qg88"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-352"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,3.3.22]"}}], "enrichment": {"confidence": 88.0, "confidence_source": "matching", "scores": [{"score": 88.0, "source": "matching"}]}, "original": {"product": "GetSimpleCMS-CE", "source": "cna", "vendor": "GetSimpleCMS-CE"}, "product": "getsimple_cms", "vendor": "getsimple-ce"}], "analysis": {"en": {"generated_at": "2026-04-16T03:28:50.290976+00:00", "value": {"mitigation_remediation": ["Upgrade to the latest GetSimple CMS Community Edition that removes the vulnerable massiveAdmin plugin or apply any vendor-released patch that corrects the CSRF protection on the gsconfig editor.", "If an upgrade is unavailable, uninstall or disable the massiveAdmin plugin and the gsconfig editor module to eliminate the code-write capability.", "Restrict access to the CMS\u2019s administrative interface to the minimum necessary users and, if possible, protect the admin interface with IP-based or two-factor authentication to reduce the window for a CSRF attack.", "Add anti-CSRF tokens to all forms within the admin interface or enable any framework-level CSRF mechanism to prevent unauthorized form submissions."], "summary": {"action": "Immediate Patch", "impact": "Remote Code Execution"}, "threat_synthesis": {"affected_systems": "Affected systems are instances of GetSimple CMS Community Edition running version 3.3.22 that include the massiveAdmin plugin version 6.0.3. The plugin adds the vulnerable gsconfig editor functionality. Any deployment that has not applied a newer CMS release or removed the plugin is at risk.", "description_and_impact": "This vulnerability exists in the massiveAdmin plugin (v6.0.3) bundled with GetSimpleCMS-CE v3.3.22. The gsconfig editor module fails to include any cross-site request forgery protection. An attacker who can send a crafted request to the editor form can cause the server to write arbitrary PHP code into the gsconfig.php configuration file. Because a logged-in administrator\u2019s session is used, the injected code executes with the web server\u2019s account, giving the attacker full remote code execution capabilities. The weakness aligns with CWE-352, a cross-site request forgery flaw that enables privileged actions without authentication.", "risk_and_exploitability": "The CVSS score is 9.7, indicating critical severity, while the EPSS score is less than 1%, suggesting that, at the time of scoring, the exploitation probability is very low but not zero. The vulnerability is not listed in the CISA KEV catalog. An attacker can exploit the CSRF vector by convincing a logged-in administrator to visit a malicious URL that POSTs data to the editor endpoint, causing the server to write malicious PHP code to gsconfig.php. Once the file is processed by the web server, arbitrary code runs with the same privileges as the web process. Because the target is a logged-in administrator, the offset attack requires the victim to be authenticated, but the request can be triggered from an external site."}}}}, "created": "2026-03-11T11:43:20.993950+00:00", "updated": "2026-04-16T03:30:06.069948+00:00", "vendors": ["getsimple-ce", "getsimple-ce$PRODUCT$getsimple_cms"]}