CVE-2026-11975
6.2
CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:N/VI:L/VA:N/SC:H/SI:H/SA:N
Summary
Stored cross-site scripting (XSS) in NewsItemApiController In SimplCommerce prior to commit 6142d3b5 allows an authenticated administrator to execute arbitrary JavaScript via the ShortContent and FullContent fields, which are stored without HTML sanitization and rendered unencoded via @Html.Raw()
Affected Software
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| simplcommerce | SimplCommerce | 0 < 6142d3b5 | affected |
Weaknesses
- CWE-79: CWE-79 Improper neutralization of input during web page generation ('cross-site scripting')
ADP Enrichment
CISA ADP Vulnrichment
- SSVC:
- Exploitation: none
- Automatable: no
- Technical Impact: partial
References
- https://github.com/simplcommerce/SimplCommerce/pull/1151
- https://github.com/simplcommerce/SimplCommerce/commit/6142d3b5147899e0edb41663ae20183878ab39f7
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.