Cyber Resilience

CVE-2026-28495

CriticalPublic PoC

Published: 10 March 2026

Published
10 March 2026
Modified
12 March 2026
KEV Added
Patch
CVSS Score v3.1 9.6 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H
EPSS Score 0.0029 21.0th percentile
Risk Priority 70 floored blend · peak EPSS

Summary

CVE-2026-28495 is a critical-severity CSRF (CWE-352) vulnerability in Getsimple-Ce Getsimple Cms. Its CVSS base score is 9.6 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 21.0th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SC-23 (Session Authenticity) and SI-10 (Information Input Validation).

Deeper analysis

CVE-2026-28495 is a critical vulnerability in GetSimple CMS, a content management system, specifically affecting the massiveAdmin plugin version 6.0.3 bundled with GetSimpleCMS-CE version 3.3.22. The gsconfig editor module in this plugin allows an authenticated administrator to overwrite the gsconfig.php configuration file with arbitrary PHP code. However, the form lacks Cross-Site Request Forgery (CSRF) protection, as classified under CWE-352, enabling exploitation beyond just authenticated users.

A remote unauthenticated attacker can exploit this vulnerability by crafting a malicious webpage that, when visited by a logged-in administrator, submits a forged request to the gsconfig editor module. This CSRF attack tricks the administrator's browser into overwriting gsconfig.php with attacker-controlled PHP code, resulting in remote code execution (RCE) on the web server. The vulnerability has a CVSS v3.1 base score of 9.6 (AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H), indicating high impact with network accessibility, low complexity, no privileges required, and user interaction needed.

The official mitigation guidance is detailed in the GitHub security advisory published by the GetSimpleCMS-CE project at https://github.com/GetSimpleCMS-CE/GetSimpleCMS-CE/security/advisories/GHSA-92wv-q2jp-qg88.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

GetSimple CMS is a content management system. The massiveAdmin plugin (v6.0.3) bundled with GetSimpleCMS-CE v3.3.22 allows an authenticated administrator to overwrite the gsconfig.php configuration file with arbitrary PHP code via the gsconfig editor module. The form lacks CSRF protection, enabling…

more

a remote unauthenticated attacker to exploit this via Cross-Site Request Forgery against a logged-in admin, achieving Remote Code Execution (RCE) on the web server.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1059 Command and Scripting Interpreter Execution
Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries.
Why these techniques?

Vulnerability in public-facing GetSimple CMS enables direct exploitation for RCE (T1190) by overwriting PHP config; resulting arbitrary code execution maps to command/scripting interpreter (T1059).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-27202Same product: Getsimple-Ce Getsimple Cms
CVE-2026-27161Same product: Getsimple-Ce Getsimple Cms
CVE-2025-23467Shared CWE-352
CVE-2018-25170Shared CWE-352
CVE-2025-22336Shared CWE-352
CVE-2025-23821Shared CWE-352
CVE-2025-22582Shared CWE-352
CVE-2025-23639Shared CWE-352
CVE-2024-50858Shared CWE-352
CVE-2025-23558Shared CWE-352

Affected Assets

getsimple-ce
getsimple cms
≤ 3.3.22

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

SC-23 mandates session authenticity mechanisms like CSRF tokens to ensure requests to the gsconfig editor originate from legitimate user actions, directly preventing forged CSRF attacks.

prevent

SI-10 requires validation and sanitization of inputs to the gsconfig editor form, blocking injection of arbitrary PHP code into the configuration file.

preventdetect

SI-7 employs integrity verification mechanisms to detect and prevent unauthorized modifications to critical files like gsconfig.php resulting from the exploited form.

References