CVE-2026-28495
Published: 10 March 2026
Summary
CVE-2026-28495 is a critical-severity CSRF (CWE-352) vulnerability in Getsimple-Ce Getsimple Cms. Its CVSS base score is 9.6 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 29.3th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SC-23 (Session Authenticity) and SI-10 (Information Input Validation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
SC-23 mandates session authenticity mechanisms like CSRF tokens to ensure requests to the gsconfig editor originate from legitimate user actions, directly preventing forged CSRF attacks.
SI-10 requires validation and sanitization of inputs to the gsconfig editor form, blocking injection of arbitrary PHP code into the configuration file.
SI-7 employs integrity verification mechanisms to detect and prevent unauthorized modifications to critical files like gsconfig.php resulting from the exploited form.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Vulnerability in public-facing GetSimple CMS enables direct exploitation for RCE (T1190) by overwriting PHP config; resulting arbitrary code execution maps to command/scripting interpreter (T1059).
NVD Description
GetSimple CMS is a content management system. The massiveAdmin plugin (v6.0.3) bundled with GetSimpleCMS-CE v3.3.22 allows an authenticated administrator to overwrite the gsconfig.php configuration file with arbitrary PHP code via the gsconfig editor module. The form lacks CSRF protection, enabling…
more
a remote unauthenticated attacker to exploit this via Cross-Site Request Forgery against a logged-in admin, achieving Remote Code Execution (RCE) on the web server.
Deeper analysisAI
CVE-2026-28495 is a critical vulnerability in GetSimple CMS, a content management system, specifically affecting the massiveAdmin plugin version 6.0.3 bundled with GetSimpleCMS-CE version 3.3.22. The gsconfig editor module in this plugin allows an authenticated administrator to overwrite the gsconfig.php configuration file with arbitrary PHP code. However, the form lacks Cross-Site Request Forgery (CSRF) protection, as classified under CWE-352, enabling exploitation beyond just authenticated users.
A remote unauthenticated attacker can exploit this vulnerability by crafting a malicious webpage that, when visited by a logged-in administrator, submits a forged request to the gsconfig editor module. This CSRF attack tricks the administrator's browser into overwriting gsconfig.php with attacker-controlled PHP code, resulting in remote code execution (RCE) on the web server. The vulnerability has a CVSS v3.1 base score of 9.6 (AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H), indicating high impact with network accessibility, low complexity, no privileges required, and user interaction needed.
The official mitigation guidance is detailed in the GitHub security advisory published by the GetSimpleCMS-CE project at https://github.com/GetSimpleCMS-CE/GetSimpleCMS-CE/security/advisories/GHSA-92wv-q2jp-qg88.
Details
- CWE(s)