CVE-2026-11975
MediumCVSS 6.2Summary
In SimplCommerce prior to commit 6142d3b5, there is a stored XSS vulnerability in NewsItemApiController. This allows an authenticated administrator to execute arbitrary JavaScript via the ShortContent and FullContent fields, which are stored without HTML sanitization.
Risk Assessment
An attacker can exploit this vulnerability to inject malicious scripts, potentially leading to data theft or session hijacking. This poses a serious threat to the application's security and user data.
Recommendation
It is recommended to update to the latest version of SimplCommerce that includes fixes for this vulnerability. Additionally, appropriate input sanitization mechanisms should be implemented for the ShortContent and FullContent fields.
Original NVD description (English source)
Stored cross-site scripting (XSS) in NewsItemApiController In SimplCommerce prior to commit 6142d3b5 allows an authenticated administrator to execute arbitrary JavaScript via the ShortContent and FullContent fields, which are stored without HTML sanitization and rendered unencoded via @Html.Raw()

