CVE-2026-27147

See a problem?
Please try reporting it to the source first.

Source

https://cve.org/CVERecord?id=CVE-2026-27147

Import Source

https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-27147.json

JSON Data

https://api.osv.dev/v1/vulns/CVE-2026-27147

Aliases

GHSA-5gmq-hrcx-6w45

Published

2026-02-20T23:14:00.838Z

Modified

2026-03-03T02:56:15.051685Z

Severity

6.9 (Medium) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N CVSS Calculator

Summary

GetSimple CMS: Stored Cross-Site Scripting (XSS) via SVG File Upload (Authenticated)

Details

GetSimple CMS is a content management system. All versions of GetSimple CMS are vulnerable to XSS through SVG file uploads. Authenticated users can upload SVG files via the administrative upload functionality, but they are not properly sanitized or restricted, allowing an attacker to embed malicious JavaScript. When the uploaded SVG file is accessed, the script executes in the browser. This issue does not have a fix at the time of publication.

Database specific

{
    "cwe_ids": [
        "CWE-79"
    ],
    "cna_assigner": "GitHub_M",
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/27xxx/CVE-2026-27147.json"
}

References

Affected packages

Git /

Affected ranges

Database specific

source

"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-27147.json"