Primary

Context

CMSimple Stored Cross-Site Scripting Vulnerability

Vulnerability

A stored cross-site scripting vulnerability has been identified in CMSimple version 5.2. This issue resides in the Filebrowser External input field, where attackers can inject unfiltered JavaScript. The injected script executes when users interact with the Page or Files tabs, allowing for persistent script injection.

Impact

Exploitation of this vulnerability allows for stored cross-site scripting, where injected scripts are executed in the context of the user.

Reproduction

To reproduce this vulnerability, navigate to the Filebrowser External input field in the CMSimple 5.2 settings. Inject JavaScript code into the input field, which is not filtered before being saved. Once the code is injected, it will execute when the Page or Files tabs are clicked.

Added: Dec 23, 2025, 8:24 PM

Updated: Dec 23, 2025, 8:24 PM

Vulnerability Rating

Custom Algorithm

spread

3.4

impact

1.7

exploitability

6.5

remediation

0.0

relevance

1.7

threat

6.4

urgency

2.9

incentive

1.7

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

3.4

impact

1.7

exploitability

6.5

remediation

0.0

relevance

1.7

threat

6.4

urgency

2.9

incentive

1.7

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

CMSimple Stored Cross-Site Scripting Vulnerability

Vulnerability

Impact

Reproduction

Affected Products

CMSimple

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating