← Back

Cmsimple Xh

cmsimple_xh

Vendor: Cmsimple Xh • 5 CVEs

CVEs (5)

CVE
VENDORS
PRODUCTS
UPDATED
PUBLISHED
CVSS
CVE-2021-47736
1Cmsimple Xh
1Cmsimple Xh
Jan 5, 2026
Dec 23, 2025
8.6 HIGH· v4
7.2 HIGH· v3
N/A· v2
CMSimple_XH 1.7.4 contains an authenticated remote code execution vulnerability in the content editing functionality that allows administrative users to upload malicious PHP files. Attackers with valid credentials can ex...Show more
CMSimple_XH 1.7.4 contains an authenticated remote code execution vulnerability in the content editing functionality that allows administrative users to upload malicious PHP files. Attackers with valid credentials can exploit the CSRF token mechanism to create a PHP shell file that enables arbitrary command execution on the server.Show less
CVE-2025-63589
1Cmsimple Xh
1Cmsimple Xh
Nov 10, 2025
Nov 6, 2025
N/A· v4
7.1 HIGH· v3
N/A· v2
A reflected XSS vulnerability exists in CMSimple_XH 1.8's index.php router when attacker-controlled path segments are not sanitized or encoded before being inserted into the generated HTML (navigation links, breadcrumbs,...Show more
A reflected XSS vulnerability exists in CMSimple_XH 1.8's index.php router when attacker-controlled path segments are not sanitized or encoded before being inserted into the generated HTML (navigation links, breadcrumbs, search form action, footer links). An attacker-controlled string placed in the URL path is reflected into multiple HTML elements, allowing execution of arbitrary JavaScript in victims' browsers visiting a crafted URL.Show less
CVE-2025-63588
1Cmsimple Xh
1Cmsimple Xh
Nov 10, 2025
Nov 6, 2025
N/A· v4
7.1 HIGH· v3
N/A· v2
An unauthenticated reflected cross-site scripting vulnerability in the query handling of CMSimpleXH allows remote attackers to inject and execute arbitrary JavaScript in a victim's browser via a crafted request (e.g., a...Show more
An unauthenticated reflected cross-site scripting vulnerability in the query handling of CMSimpleXH allows remote attackers to inject and execute arbitrary JavaScript in a victim's browser via a crafted request (e.g., a maliciously crafted POST login). Successful exploitation may lead to theft of session cookies, credential disclosure, or other client-side impacts.Show less
CVE-2024-34452
1Cmsimple Xh
1Cmsimple Xh
Jun 17, 2026
Jun 21, 2024
N/A· v4
6.1 MEDIUM· v3
N/A· v2
CMSimple_XH 1.7.6 allows XSS by uploading a crafted SVG document.
CVE-2021-42645
1Cmsimple Xh
1Cmsimple Xh
Jun 17, 2026
May 10, 2022
N/A· v4
10.0 CRITICAL· v3
10.0 HIGH· v2
CMSimple_XH 1.7.4 is affected by a remote code execution (RCE) vulnerability. To exploit this vulnerability, an attacker must use the "File" parameter to upload a PHP payload to get a reverse shell from the vulnerable ho...Show more
CMSimple_XH 1.7.4 is affected by a remote code execution (RCE) vulnerability. To exploit this vulnerability, an attacker must use the "File" parameter to upload a PHP payload to get a reverse shell from the vulnerable host.Show less