Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:N/VI:L/VA:N/SC:H/SI:H/SA:N
Admin authentication required (PR:H) and victim must load the page (UI:R); scope changes (S:C) because payload executes in other users' browsers, with limited confidentiality and integrity impact on those victims.
Primary rating from Vendor (Checkmarx).
CVSS VectorVendor: Checkmarx
CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:N/VI:L/VA:N/SC:H/SI:H/SA:N
Lifecycle Timeline
2DescriptionCVE.org
Stored cross-site scripting (XSS) in NewsItemApiController In SimplCommerce prior to commit 6142d3b5 allows an authenticated administrator to execute arbitrary JavaScript via the ShortContent and FullContent fields, which are stored without HTML sanitization and rendered unencoded via @Html.Raw()
AnalysisAI
Stored XSS in SimplCommerce's news module allows an authenticated administrator to persist arbitrary JavaScript via the ShortContent and FullContent fields of NewsItemApiController, which are stored without HTML sanitization and rendered unencoded through Razor's @Html.Raw() method. Any site visitor who subsequently loads an affected news page will execute the injected script in their browser, enabling session hijacking, credential theft, or malicious redirects. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires an authenticated session with administrator-level privileges on the SimplCommerce instance - the attacker must be able to submit POST or PUT requests to the NewsItemApiController, as exposed via the admin news management interface. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The CVSS 4.0 vector (AV:N/AC:L/AT:N/PR:H/UI:P/VC:N/VI:L/VA:N/SC:H/SI:H/SA:N, score 6.2) accurately captures the dual nature of this vulnerability: low complexity for a privileged attacker, but high subsequent-system impact (SC:H/SI:H) affecting visitors whose browsers execute the payload. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker who has obtained or compromised an administrator account logs into the SimplCommerce admin panel and creates or edits a news item, embedding a JavaScript payload such as a cookie-stealing script in the ShortContent or FullContent field via the news management API. The payload is stored in the database without sanitization; when any site visitor subsequently loads the news listing or detail page, ASP.NET Core's @Html.Raw() renders the script verbatim into the HTML response, executing it in the visitor's browser and exfiltrating their session token to an attacker-controlled endpoint. … |
| Remediation | Upgrade SimplCommerce to a build that incorporates commit 6142d3b5 or later, available at https://github.com/simplcommerce/SimplCommerce/commit/6142d3b5147899e0edb41663ae20183878ab39f7. … Detailed patch versions, workarounds, and compensating controls in full report. |
Threat intelligence, references, and detailed analysis are available after sign-in.
More in Simplcommerce
View allSame weakness CWE-79 – Cross-site Scripting (XSS)
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-37683