CVE-2026-38931
MediumCVSS 5.4Exploitation Probability (EPSS)
Low risk6th percentile - higher than 6% of all known CVEs
Summary
A stored cross-site scripting (XSS) vulnerability was found in the /admin/config-module.php component of the simplephp project (commit 5184cff). An attacker can inject a malicious JavaScript payload that will be executed in administrators' browsers.
Risk Assessment
The risk includes potential session hijacking, data theft, or unauthorized actions in the admin panel. This vulnerability could lead to full application compromise.
Recommendation
Immediately update the source code to a patched version or apply input filtering and output encoding for data processed in /admin/config-module.php.
Original NVD description (English source)
A stored cross-site scripting (XSS) vulnerability in the /admin/config-module.php component of creatorsofcode simplephp GitHub commit 5184cff (Latest as of 2026-02-27) via injecting a crafted payload.

