Platform
php
Component
massiveadmin
Fixed in
3.3.23
CVE-2026-28495 is a critical Remote Code Execution (RCE) vulnerability affecting the massiveAdmin plugin bundled with GetSimpleCMS-CE versions up to 3.3.22. An attacker can exploit this flaw to overwrite the gsconfig.php configuration file with arbitrary PHP code, leading to complete server compromise. The vulnerability stems from a lack of Cross-Site Request Forgery (CSRF) protection in the gsconfig editor module, allowing remote exploitation against logged-in administrators. A fix is pending.
This vulnerability allows an attacker to execute arbitrary code on the web server with the privileges of the administrator account. Successful exploitation grants the attacker full control over the affected system, enabling them to steal sensitive data, modify website content, install malware, or pivot to other systems on the network. The lack of CSRF protection significantly lowers the barrier to entry, as an attacker can leverage existing administrator sessions to execute malicious code without requiring further authentication. This is a high-impact vulnerability with the potential for widespread damage, similar to other configuration file overwrite vulnerabilities that have led to complete system compromise.
CVE-2026-28495 was publicly disclosed on 2026-03-10. There is currently no indication of active exploitation, but the ease of exploitation and the critical severity make it a high-priority target. The vulnerability is not currently listed on the CISA KEV catalog. Public proof-of-concept code is likely to emerge given the vulnerability's nature and severity.
Exploit Status
EPSS
0.07% (20% percentile)
CISA SSVC
CVSS Vector
The primary mitigation is to upgrade to a patched version of GetSimpleCMS-CE that includes a fixed version of the massiveAdmin plugin. Unfortunately, a specific fixed version is not yet available. As a temporary workaround, implement strict CSRF protection on the gsconfig editor module. This can be achieved by adding a CSRF token to the form and validating it on submission. Additionally, consider restricting access to the gsconfig editor module to trusted administrators only. Monitor gsconfig.php for unauthorized modifications. After upgrade, confirm by attempting to access the gsconfig editor as an administrator and verifying that the form now includes a CSRF token.
Update GetSimple CMS to a version later than 3.3.22 or disable/remove the massiveAdmin plugin. As a preventative measure, avoid accessing the GetSimple CMS admin interface from untrusted networks and ensure you log out after using it.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2026-28495 is a critical Remote Code Execution vulnerability in the massiveAdmin plugin bundled with GetSimpleCMS-CE versions up to 3.3.22. It allows an attacker to overwrite the gsconfig.php file via CSRF, potentially leading to full server compromise.
You are affected if you are using GetSimpleCMS-CE version 3.3.22 or earlier, and have the massiveAdmin plugin installed. Upgrade as soon as a patch is available.
Upgrade to a patched version of GetSimpleCMS-CE that includes a fixed version of the massiveAdmin plugin. Until a patch is available, implement CSRF protection on the gsconfig editor module.
There is currently no confirmed active exploitation, but the vulnerability's severity and ease of exploitation make it a likely target.
Refer to the official GetSimple CMS website and security advisories for updates and patch information: https://getsimple.info/
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.