Skip to main content

SimplCommerce CVE-2026-11975

| EUVDEUVD-2026-37683 MEDIUM
Cross-site Scripting (XSS) (CWE-79)
2026-06-17 Checkmarx
6.2
CVSS 4.0 · Vendor: Checkmarx
Share

Severity by source

Vendor (Checkmarx) PRIMARY
6.2 MEDIUM
CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:N/VI:L/VA:N/SC:H/SI:H/SA:N
vuln.today AI
4.8 MEDIUM

Admin authentication required (PR:H) and victim must load the page (UI:R); scope changes (S:C) because payload executes in other users' browsers, with limited confidentiality and integrity impact on those victims.

3.1 AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N
4.0 AV:N/AC:L/AT:N/PR:H/UI:P/VC:N/VI:L/VA:N/SC:H/SI:H/SA:N

Primary rating from Vendor (Checkmarx).

CVSS VectorVendor: Checkmarx

CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:N/VI:L/VA:N/SC:H/SI:H/SA:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
High
User Interaction
P

Lifecycle Timeline

2
Source Code Evidence Fetched
Jun 17, 2026 - 13:20 vuln.today
Analysis Generated
Jun 17, 2026 - 13:20 vuln.today

DescriptionCVE.org

Stored cross-site scripting (XSS) in NewsItemApiController In SimplCommerce prior to commit 6142d3b5 allows an authenticated administrator to execute arbitrary JavaScript via the ShortContent and FullContent fields, which are stored without HTML sanitization and rendered unencoded via @Html.Raw()

AnalysisAI

Stored XSS in SimplCommerce's news module allows an authenticated administrator to persist arbitrary JavaScript via the ShortContent and FullContent fields of NewsItemApiController, which are stored without HTML sanitization and rendered unencoded through Razor's @Html.Raw() method. Any site visitor who subsequently loads an affected news page will execute the injected script in their browser, enabling session hijacking, credential theft, or malicious redirects. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Recon
Obtain or compromise admin credentials
Delivery
Authenticate to SimplCommerce admin panel
Exploit
POST or PUT malicious JS payload in news item ShortContent or FullContent
Install
Payload stored unsanitized in database
C2
Victim browses to news page
Execute
@Html.Raw() renders script in victim's browser
Impact
Session token exfiltrated or victim browser compromised

Vulnerability AssessmentAI

Exploitation Exploitation requires an authenticated session with administrator-level privileges on the SimplCommerce instance - the attacker must be able to submit POST or PUT requests to the NewsItemApiController, as exposed via the admin news management interface. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 4.0 vector (AV:N/AC:L/AT:N/PR:H/UI:P/VC:N/VI:L/VA:N/SC:H/SI:H/SA:N, score 6.2) accurately captures the dual nature of this vulnerability: low complexity for a privileged attacker, but high subsequent-system impact (SC:H/SI:H) affecting visitors whose browsers execute the payload. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker who has obtained or compromised an administrator account logs into the SimplCommerce admin panel and creates or edits a news item, embedding a JavaScript payload such as a cookie-stealing script in the ShortContent or FullContent field via the news management API. The payload is stored in the database without sanitization; when any site visitor subsequently loads the news listing or detail page, ASP.NET Core's @Html.Raw() renders the script verbatim into the HTML response, executing it in the visitor's browser and exfiltrating their session token to an attacker-controlled endpoint. …
Remediation Upgrade SimplCommerce to a build that incorporates commit 6142d3b5 or later, available at https://github.com/simplcommerce/SimplCommerce/commit/6142d3b5147899e0edb41663ae20183878ab39f7. … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-11975 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy