CVE-2026-28495 - Vulnerability Analysis
CriticalCVSS: 9.6Last Updated: March 11, 2026
GetSimple CMS - Cross-Site Request Forgery
Published: March 10, 2026Updated: March 11, 2026Remote Exploitable
Overview
GetSimple CMS 3.3.22 with massiveAdmin plugin v6.0.3 contains a remote code execution caused by lack of CSRF protection in gsconfig editor module, letting unauthenticated attackers exploit logged-in admin to execute arbitrary PHP code.
Severity & Score
Severity: Critical
CVSS Score: 9.6
Impact
Remote attackers can execute arbitrary PHP code on the web server, leading to full server compromise.
Mitigation
Update to the latest version of GetSimple CMS and massiveAdmin plugin with CSRF protection.
References
Related Resources
Details
- CVE ID
- CVE-2026-28495
- Severity
- Critical
- CVSS Score
- 9.6
- Type
- cross_site_request_forgery
- Status
- unconfirmed
CWE
- CWE-352
CVSS Metrics
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H