Cyber Resilience

CVE-2026-27161

HighPublic PoC

Published: 21 February 2026

Published
21 February 2026
Modified
24 February 2026
KEV Added
Patch
CVSS Score v4 8.7 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0041 32.8th percentile
Risk Priority 55 floored blend · peak EPSS

Summary

CVE-2026-27161 is a high-severity Exposure of Sensitive Information to an Unauthorized Actor (CWE-200) vulnerability in Getsimple-Ce Getsimple Cms. Its CVSS base score is 8.7 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 32.8th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 AC-22 (Publicly Accessible Content) and AC-3 (Access Enforcement).

Deeper analysis

CVE-2026-27161 is a vulnerability in all versions of GetSimple CMS, a content management system. The issue arises because the software relies on .htaccess files to restrict access to sensitive directories such as /data/ and /backups/. When Apache's AllowOverride directive is disabled—a configuration common in hardened or shared hosting environments—these .htaccess protections are silently ignored, enabling unauthorized access to those directories.

Unauthenticated attackers can exploit this vulnerability remotely with low attack complexity, requiring no privileges or user interaction. Successful exploitation allows them to list directory contents and download sensitive files, including authorization.xml, which contains cryptographic salts and API keys. The CVSS v3.1 base score is 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N), reflecting high confidentiality impact and mapping to CWE-200 (Exposure of Sensitive Information to an Unauthorized Actor).

The GitHub Security Advisory at https://github.com/GetSimpleCMS-CE/GetSimpleCMS-CE/security/advisories/GHSA-f63g-xh6j-q56g, published on 2026-02-21, confirms that no fix is available at the time of disclosure.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

GetSimple CMS is a content management system. All versions of GetSimple CMS rely on .htaccess files to restrict access to sensitive directories such as /data/ and /backups/. If Apache AllowOverride is disabled (common in hardened or shared hosting environments), these…

more

protections are silently ignored, allowing unauthenticated attackers to list and download sensitive files including authorization.xml, which contains cryptographic salts and API keys. This issue does not have a fix at the time of publication.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1083 File and Directory Discovery Discovery
Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system.
T1005 Data from Local System Collection
Adversaries may search local system sources, such as file systems, configuration files, local databases, virtual machine files, or process memory, to find files of interest and sensitive data prior to Exfiltration.
T1552.001 Credentials In Files Credential Access
Adversaries may search local file systems and remote file shares for files containing insecurely stored credentials.
Why these techniques?

Vulnerability in public-facing CMS directly enables exploitation via T1190; allows unauthenticated directory listing (T1083) and file download (T1005) from sensitive paths, exposing credentials/keys in files (T1552.001).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-27202Same product: Getsimple-Ce Getsimple Cms
CVE-2026-28495Same product: Getsimple-Ce Getsimple Cms
CVE-2025-8590Shared CWE-200
CVE-2025-27784Shared CWE-200
CVE-2026-2268Shared CWE-200
CVE-2024-13638Shared CWE-200
CVE-2026-4660Shared CWE-200
CVE-2025-24232Shared CWE-200
CVE-2024-43707Shared CWE-200
CVE-2024-13562Shared CWE-200

Affected Assets

getsimple-ce
getsimple cms
≤ 3.3.22

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly requires controls to restrict access to and protect sensitive files like authorization.xml in publicly accessible CMS directories such as /data/ and /backups/.

prevent

Enforces approved authorizations for logical access to sensitive system resources, preventing unauthenticated directory listing and file downloads regardless of .htaccess reliance.

prevent

Mandates secure configuration settings for web servers to restrict access to sensitive directories even when Apache AllowOverride is disabled.

References