Description

CMSimple 5.4 contains a cross-site scripting vulnerability that allows attackers to bypass input filtering by using HTML to Unicode encoding. Attackers can inject malicious scripts by encoding payloads like ')-alert(1)// and execute arbitrary JavaScript when victims interact with delete buttons.

Related CPE's

Could not find any relations

References

https://www.cmsimple.org/en/

https://www.exploit-db.com/exploits/50612

https://www.vulncheck.com/advisories/cmsimple-cross-site-scripting-via-html-unicode-encoding

Weaknesses

[email protected]

Primary
CWE-79

CVSS impact metrics

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

6.1 · Medium

  • CVSS V3.1

  • CVSS V3.0

  • CVSS V2.0

Information

Source identifier

[email protected]

Vulnerability status

Received

Published

2025-12-23T20:15:44.973

5 hours ago

Last modified

2025-12-23T20:15:44.973

5 hours ago