What is the CVSS score of CVE-2026-27161?

CVE-2026-27161 has a CVSS 3.1 base score of 7.5 (High). CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N. EPSS exploitation probability: 0.1%.

Which versions of Getsimple Cms are affected by CVE-2026-27161?

GetSimple CMS installations are vulnerable to unauthorized access of sensitive directories containing backup files and database information due to reliance on .htaccess protection mechanisms that can…

Is there a public PoC exploit available for CVE-2026-27161?

Yes, a public proof-of-concept exploit is available for CVE-2026-27161. Prioritise patching immediately. EPSS: 0.1%.

How to fix or mitigate CVE-2026-27161?

Within 24 hours: identify all GetSimple CMS instances in your environment and document their exposure level (internet-facing vs. internal). Within 7 days: implement compensating controls (WAF rules, network access restrictions, directory hardening) and disable GetSimple CMS if not business-critical. Within 30 days: evaluate migration to alternative CMS platforms or establish a patching timeline with the vendor, and conduct a forensic review of access logs for signs of exploitation.

Getsimple Cms CVE-2026-27161

HIGH

Information Exposure (CWE-200)

2026-02-21 security-advisories@github.com

Apache Getsimple Cms

7.5

CVSS 3.1

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

None

Availability

None

Lifecycle Timeline

Analysis Generated

Mar 12, 2026 - 22:04 vuln.today

PoC Detected

Feb 24, 2026 - 13:10 vuln.today

Public exploit code

CVE Published

Feb 21, 2026 - 00:16 nvd

HIGH 7.5

DescriptionNVD

GetSimple CMS is a content management system. All versions of GetSimple CMS rely on .htaccess files to restrict access to sensitive directories such as /data/ and /backups/. If Apache AllowOverride is disabled (common in hardened or shared hosting environments), these protections are silently ignored, allowing unauthenticated attackers to list and download sensitive files including authorization.xml, which contains cryptographic salts and API keys. This issue does not have a fix at the time of publication.

AnalysisAI

Unauthenticated attackers can access sensitive files in GetSimple CMS when Apache's AllowOverride directive is disabled, bypassing .htaccess protections that restrict directory access. This configuration is common in hardened and shared hosting environments, exposing authorization credentials, API keys, and cryptographic salts in files like authorization.xml. …

RemediationAI

Within 24 hours: identify all GetSimple CMS instances in your environment and document their exposure level (internet-facing vs. internal). …

Analysis

Detailed AI-generated intelligence summary covering attack vector, impact assessment, affected versions, remediation steps, and indicators of compromise.

POChttps://••••••••••.com/exploit

PATCHhttps://••••••••••.com/patch

ADVISORYhttps://••••••••••.com/advisory

Full analysis requires sign-in

Get intelligence summaries, risk assessment, exploit details, threat intel, and remediation guidance.

More from same product – last 7 days

CVE-2025-48977 HIGH This Week

8.5 May 28

Path traversal in Apache Ignite 2.0.0 through 2.17.0 lets authenticated REST API users read arbitrary files on the serve

CVE-2026-42782 HIGH This Week

7.2 May 25

Code execution via Groovy sandbox bypass in Apache Syncope 3.0 through 3.0.16, 4.0 through 4.0.5, and 4.1.0 allows a hig

CVE-2026-43827 MEDIUM This Month

5.9 May 25

Default configurations of Apache Shiro have a session fixation vulnerability. This issue affects Apache Shiro from 1.0

CVE-2026-43828 MEDIUM This Month

5.9 May 25

Default configurations of Apache Shiro send sensitive cookies in HTTPS session without 'Secure' attribute. This issue

CVE-2026-44598 MEDIUM This Month

5.1 May 25

With valid login credentials, URL Redirection to Untrusted Site ('Open Redirect'), Server-Side Request Forgery (SSRF) vu

CVE-2026-27161 vulnerability details – vuln.today

Back

Getsimple Cms CVE-2026-27161

CVSS VectorNVD

Lifecycle Timeline

DescriptionNVD

AnalysisAI

RemediationAI

Full analysis requires sign-in

More from same product – last 7 days

Share

External POC / Exploit Code