Platform
php
Component
code-projects-simple-content-management-system
Opgelost in
1.0.1
A cross-site scripting (XSS) vulnerability has been discovered in Simple Content Management System versions 1.0.0 through 1.0. This flaw resides within the /web/admin/welcome.php file, specifically concerning the handling of the 'News Title' argument. Successful exploitation allows an attacker to inject malicious scripts, potentially impacting administrative users. A patch is expected to resolve this issue.
The primary impact of CVE-2026-6184 is the potential for cross-site scripting (XSS) attacks. An attacker could inject malicious JavaScript code into the 'News Title' field within the administrative interface (/web/admin/welcome.php). When another administrator views this page, the injected script would execute in their browser context. This could lead to session hijacking, redirection to malicious websites, or the theft of sensitive information, such as login credentials or administrative data. The remote nature of the vulnerability means an attacker does not need local access to exploit it.
CVE-2026-6184 has been publicly disclosed and a proof-of-concept (PoC) is available, indicating a higher risk of exploitation. The vulnerability is rated as LOW severity according to CVSS v2.4. It is currently not listed on CISA KEV. Active campaigns targeting this specific vulnerability are not yet confirmed, but the availability of a PoC increases the likelihood of exploitation attempts.
Administrators of Simple Content Management System instances running versions 1.0.0 through 1.0 are at direct risk. Shared hosting environments utilizing this CMS are particularly vulnerable, as a compromised account could potentially impact other websites hosted on the same server. Those who have not implemented robust input validation practices are also at increased risk.
• php / server:
grep -r "News Title" /var/www/html/web/admin/welcome.php• generic web:
curl -I http://your-website.com/web/admin/welcome.php?News+Title=<script>alert(1)</script>disclosure
Exploit Status
EPSS
0.03% (9% percentiel)
CISA SSVC
CVSS-vector
The immediate mitigation for CVE-2026-6184 is to upgrade to a patched version of Simple Content Management System as soon as it becomes available. Until a patch is released, consider implementing input validation and sanitization on the 'News Title' field to prevent the injection of malicious scripts. Web application firewalls (WAFs) configured to detect and block XSS payloads targeting the /web/admin/welcome.php endpoint can provide an additional layer of protection. Carefully review any third-party plugins or extensions for potential vulnerabilities that could be exploited in conjunction with this XSS flaw.
Actualice el Simple Content Management System a una versión corregida. Verifique el sitio web del proveedor o los foros de la comunidad para obtener información sobre las actualizaciones disponibles. Como medida temporal, puede deshabilitar la entrada de 'News Title' o aplicar una validación de entrada estricta para evitar la inyección de código malicioso.
Kwetsbaarheidsanalyses en kritieke waarschuwingen direct in uw inbox.
CVE-2026-6184 is a cross-site scripting (XSS) vulnerability affecting Simple Content Management System versions 1.0.0–1.0, allowing attackers to inject malicious scripts via the News Title parameter.
You are affected if you are running Simple Content Management System version 1.0.0–1.0 and have not applied a patch or implemented mitigating controls.
Upgrade to a patched version of Simple Content Management System as soon as it becomes available. Until then, implement input validation and consider using a WAF.
While active campaigns are not confirmed, a public proof-of-concept exists, increasing the risk of exploitation.
Refer to the Simple Content Management System website or security mailing list for the official advisory regarding CVE-2026-6184.
Upload je dependency-bestand en kom direct te weten of deze en andere CVEs jou raken.