CVE-2026-27161
Published: 21 February 2026
Summary
CVE-2026-27161 is a high-severity Exposure of Sensitive Information to an Unauthorized Actor (CWE-200) vulnerability in Getsimple-Ce Getsimple Cms. Its CVSS base score is 8.7 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 32.8th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 AC-22 (Publicly Accessible Content) and AC-3 (Access Enforcement).
Deeper analysis
CVE-2026-27161 is a vulnerability in all versions of GetSimple CMS, a content management system. The issue arises because the software relies on .htaccess files to restrict access to sensitive directories such as /data/ and /backups/. When Apache's AllowOverride directive is disabled—a configuration common in hardened or shared hosting environments—these .htaccess protections are silently ignored, enabling unauthorized access to those directories.
Unauthenticated attackers can exploit this vulnerability remotely with low attack complexity, requiring no privileges or user interaction. Successful exploitation allows them to list directory contents and download sensitive files, including authorization.xml, which contains cryptographic salts and API keys. The CVSS v3.1 base score is 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N), reflecting high confidentiality impact and mapping to CWE-200 (Exposure of Sensitive Information to an Unauthorized Actor).
The GitHub Security Advisory at https://github.com/GetSimpleCMS-CE/GetSimpleCMS-CE/security/advisories/GHSA-f63g-xh6j-q56g, published on 2026-02-21, confirms that no fix is available at the time of disclosure.
OWASP Top 10 for Web (2025)
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-7750
Vulnerability details
GetSimple CMS is a content management system. All versions of GetSimple CMS rely on .htaccess files to restrict access to sensitive directories such as /data/ and /backups/. If Apache AllowOverride is disabled (common in hardened or shared hosting environments), these…
more
protections are silently ignored, allowing unauthenticated attackers to list and download sensitive files including authorization.xml, which contains cryptographic salts and API keys. This issue does not have a fix at the time of publication.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Vulnerability in public-facing CMS directly enables exploitation via T1190; allows unauthenticated directory listing (T1083) and file download (T1005) from sensitive paths, exposing credentials/keys in files (T1552.001).
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly requires controls to restrict access to and protect sensitive files like authorization.xml in publicly accessible CMS directories such as /data/ and /backups/.
Enforces approved authorizations for logical access to sensitive system resources, preventing unauthenticated directory listing and file downloads regardless of .htaccess reliance.
Mandates secure configuration settings for web servers to restrict access to sensitive directories even when Apache AllowOverride is disabled.