CVE-2026-11975

Source
https://cve.org/CVERecord?id=CVE-2026-11975
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-11975.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2026-11975
Published
2026-06-17T12:18:28.771Z
Modified
2026-07-08T08:12:39.859309834Z
Severity
  • 6.2 (Medium) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:N/VI:L/VA:N/SC:H/SI:H/SA:N CVSS Calculator
Summary
Stored Cross-Site Scripting (XSS) in SimplCommerce News Module Admin Interface
Details

Stored cross-site scripting (XSS) in NewsItemApiController In SimplCommerce prior to commit 6142d3b5 allows an authenticated administrator to execute arbitrary JavaScript via the ShortContent and FullContent fields, which are stored without HTML sanitization and rendered unencoded via @Html.Raw()

Database specific
{
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/11xxx/CVE-2026-11975.json",
    "cna_assigner": "Checkmarx",
    "cwe_ids": [
        "CWE-79"
    ],
    "unresolved_ranges": [
        {
            "extracted_events": [
                {
                    "fixed": "6142d3b5"
                }
            ],
            "source": "AFFECTED_FIELD"
        }
    ]
}
References

Affected packages

Git / github.com/simplcommerce/simplcommerce

Affected ranges

Type
GIT
Repo
https://github.com/simplcommerce/simplcommerce
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Fixed
Database specific
{
    "source": "REFERENCES"
}

Affected versions

1.*
1.0-beta
v0.*
v0.1-netcore1.1
v1.*
v1.0.0-rc

Database specific

source
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-11975.json"