CVE Catalog

CVE-2026-38931

MediumCVSS 5.4
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Low risk
0.17%

6th percentile - higher than 6% of all known CVEs

Summary

A stored cross-site scripting (XSS) vulnerability was found in the /admin/config-module.php component of the simplephp project (commit 5184cff). An attacker can inject a malicious JavaScript payload that will be executed in administrators' browsers.

Risk Assessment

The risk includes potential session hijacking, data theft, or unauthorized actions in the admin panel. This vulnerability could lead to full application compromise.

Recommendation

Immediately update the source code to a patched version or apply input filtering and output encoding for data processed in /admin/config-module.php.

Original NVD description (English source)

A stored cross-site scripting (XSS) vulnerability in the /admin/config-module.php component of creatorsofcode simplephp GitHub commit 5184cff (Latest as of 2026-02-27) via injecting a crafted payload.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS