What is the CVSS score of CVE-2026-27161?

CVE-2026-27161 has a CVSS 3.1 base score of 7.5 (High). CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N. EPSS exploitation probability: 0.1%.

Which versions of Getsimple Cms are affected by CVE-2026-27161?

GetSimple CMS installations are vulnerable to unauthorized access of sensitive directories containing backup files and database information due to reliance on .htaccess protection mechanisms that can…

Is there a public PoC exploit available for CVE-2026-27161?

Yes, a public proof-of-concept exploit is available for CVE-2026-27161. Prioritise patching immediately. EPSS: 0.1%.

How to fix or mitigate CVE-2026-27161?

Within 24 hours: identify all GetSimple CMS instances in your environment and document their exposure level (internet-facing vs. internal). Within 7 days: implement compensating controls (WAF rules, network access restrictions, directory hardening) and disable GetSimple CMS if not business-critical. Within 30 days: evaluate migration to alternative CMS platforms or establish a patching timeline with the vendor, and conduct a forensic review of access logs for signs of exploitation.

Getsimple Cms CVE-2026-27161

HIGH

Information Exposure (CWE-200)

2026-02-21 security-advisories@github.com

Apache Getsimple Cms

7.5

CVSS 3.1 · GitHub Advisory

Severity by source

GitHub Advisory PRIMARY

7.5 HIGH

AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

None

Availability

None

Lifecycle Timeline

Analysis Generated

Mar 12, 2026 - 22:04 vuln.today

PoC Detected

Feb 24, 2026 - 13:10 vuln.today

Public exploit code

CVE Published

Feb 21, 2026 - 00:16 nvd

HIGH 7.5

DescriptionGitHub Advisory

GetSimple CMS is a content management system. All versions of GetSimple CMS rely on .htaccess files to restrict access to sensitive directories such as /data/ and /backups/. If Apache AllowOverride is disabled (common in hardened or shared hosting environments), these protections are silently ignored, allowing unauthenticated attackers to list and download sensitive files including authorization.xml, which contains cryptographic salts and API keys. This issue does not have a fix at the time of publication.

AnalysisAI

Unauthenticated attackers can access sensitive files in GetSimple CMS when Apache's AllowOverride directive is disabled, bypassing .htaccess protections that restrict directory access. This configuration is common in hardened and shared hosting environments, exposing authorization credentials, API keys, and cryptographic salts in files like authorization.xml. …

Unlock full vulnerability intelligence

Risk assessment & exploitation conditions
Attack chain visualization
Remediation with exact patch versions
Threat intelligence from 22 sources
Personal watchlist & email alerts

Continue with Google Continue with GitHub

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access

Discover Apache AllowOverride disabled

Exploit

Access /data/ directory via HTTP

Execution

Download authorization.xml file

Impact

Extract cryptographic salts and API keys

Access

Discover Apache AllowOverride disabled

Exploit

Access /data/ directory via HTTP

Execution

Download authorization.xml file

Impact

Extract cryptographic salts and API keys

Vulnerability AssessmentAI

Exploitation	Apache AllowOverride directive set to 'None' or 'Off' in server configuration, disabling .htaccess-based access controls on GetSimple CMS directories. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment	CVSS 7.5 (HIGH). … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario	An attacker without authentication could exploit this vulnerability to compromise the affected system.
Remediation	Monitor vendor advisories for a patch. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: identify all GetSimple CMS instances in your environment and document their exposure level (internet-facing vs. …

Threat intelligence, references, and detailed analysis are available after sign-in.

CVE-2026-27161 vulnerability details – vuln.today

Back

Getsimple Cms CVE-2026-27161

Severity by source

CVSS VectorGitHub Advisory

Lifecycle Timeline

DescriptionGitHub Advisory

AnalysisAI

Unlock full vulnerability intelligence

Attack ChainAIDerived

Vulnerability AssessmentAI

Recommended ActionAI

Share

External POC / Exploit Code