Plattform
php
Komponente
code-projects-simple-content-management-system
Behoben in
1.0.1
A cross-site scripting (XSS) vulnerability has been discovered in Simple Content Management System versions 1.0.0 through 1.0. This flaw resides within the /web/admin/welcome.php file and allows an attacker to inject malicious scripts. Successful exploitation can lead to session hijacking and defacement. The vulnerability is publicly known and an exploit is available.
The primary impact of CVE-2026-6184 is the potential for cross-site scripting (XSS) attacks. An attacker can inject malicious JavaScript code into the News Title field of the admin panel. When a user with sufficient privileges views the welcome page, the injected script executes in their browser context. This can lead to session hijacking, where the attacker steals the user's session cookie and gains unauthorized access to their account. Furthermore, the attacker could deface the website or redirect users to malicious sites. The public availability of an exploit significantly increases the risk of exploitation.
This vulnerability is publicly known, and a proof-of-concept exploit is available, increasing the likelihood of exploitation. It is not currently listed on CISA KEV. The LOW CVSS score reflects the relatively limited impact and ease of mitigation, but the public exploit availability warrants immediate attention. The vulnerability's location in an admin panel suggests a higher risk if the admin account is compromised.
Administrators of Simple Content Management System instances running versions 1.0.0 through 1.0 are at direct risk. Shared hosting environments utilizing this CMS are particularly vulnerable, as a compromised account could potentially impact other websites hosted on the same server. Those who have not implemented robust input validation practices are also at increased risk.
• php / server:
grep -r "News Title" /var/www/html/web/admin/welcome.php• generic web:
curl -I http://your-website.com/web/admin/welcome.php?News+Title=<script>alert(1)</script>disclosure
Exploit-Status
EPSS
0.03% (9% Perzentil)
CISA SSVC
CVSS-Vektor
The recommended mitigation for CVE-2026-6184 is to upgrade to a patched version of Simple Content Management System. Since no fixed version is specified, thoroughly review the codebase for input validation vulnerabilities, particularly in the /web/admin/welcome.php file. Implement strict input sanitization and output encoding to prevent XSS. As a temporary workaround, consider implementing a Web Application Firewall (WAF) rule to block requests containing suspicious characters in the News Title parameter. After applying mitigations, test the welcome page with various inputs to confirm the vulnerability is no longer exploitable.
Aktualisieren Sie das Simple Content Management System auf eine korrigierte Version. Überprüfen Sie die Website des Anbieters oder die Community-Foren auf Informationen zu verfügbaren Updates. Als vorübergehende Maßnahme können Sie die Eingabe 'News Title' deaktivieren oder eine strenge Eingabevalidierung anwenden, um die Injektion von bösartigem Code zu verhindern.
Schwachstellenanalysen und kritische Warnungen direkt in deinen Posteingang.
CVE-2026-6184 is a cross-site scripting (XSS) vulnerability affecting Simple Content Management System versions 1.0.0–1.0, allowing attackers to inject malicious scripts via the News Title parameter.
You are affected if you are running Simple Content Management System version 1.0.0–1.0 and have not applied a patch or implemented mitigating controls.
Upgrade to a patched version of Simple Content Management System as soon as it becomes available. Until then, implement input validation and consider using a WAF.
While active campaigns are not confirmed, a public proof-of-concept exists, increasing the risk of exploitation.
Refer to the Simple Content Management System website or security mailing list for the official advisory regarding CVE-2026-6184.
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.