What is the CVSS score of CVE-2026-28495?

CVE-2026-28495 has a CVSS 3.1 base score of 9.6 (Critical). CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H. EPSS exploitation probability: 0.1%.

Which versions of PHP are affected by CVE-2026-28495?

A critical vulnerability in GetSimple CMS allows authenticated administrators to inject malicious code into core configuration files, potentially compromising the entire web application and…

Is there a public PoC exploit available for CVE-2026-28495?

Yes, a public proof-of-concept exploit is available for CVE-2026-28495. Prioritise patching immediately. EPSS: 0.1%.

PHP CVE-2026-28495

CRITICAL

Cross-Site Request Forgery (CSRF) (CWE-352)

2026-03-10 security-advisories@github.com

PHP RCE CSRF Getsimple Cms

9.6

CVSS 3.1

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

Required

Scope

Changed

Confidentiality

High

Integrity

High

Availability

High

Lifecycle Timeline

Analysis Generated

Mar 12, 2026 - 21:55 vuln.today

PoC Detected

Mar 12, 2026 - 18:21 vuln.today

Public exploit code

CVE Published

Mar 10, 2026 - 20:16 nvd

CRITICAL 9.6

DescriptionNVD

GetSimple CMS is a content management system. The massiveAdmin plugin (v6.0.3) bundled with GetSimpleCMS-CE v3.3.22 allows an authenticated administrator to overwrite the gsconfig.php configuration file with arbitrary PHP code via the gsconfig editor module. The form lacks CSRF protection, enabling a remote unauthenticated attacker to exploit this via Cross-Site Request Forgery against a logged-in admin, achieving Remote Code Execution (RCE) on the web server.

AnalysisAI

GetSimple CMS massiveAdmin plugin has a CSRF vulnerability enabling attackers to perform admin actions through crafted malicious pages.

RemediationAI

Within 24 hours: Audit all administrator accounts for unauthorized access and review recent configuration file modifications in audit logs. Within 7 days: Implement network segmentation to restrict admin panel access by IP, enforce multi-factor authentication for all admin accounts, and disable the massiveAdmin plugin if not operationally critical. …

Analysis

Detailed AI-generated intelligence summary covering attack vector, impact assessment, affected versions, remediation steps, and indicators of compromise.

POChttps://••••••••••.com/exploit

PATCHhttps://••••••••••.com/patch

ADVISORYhttps://••••••••••.com/advisory

Full analysis requires sign-in

Get intelligence summaries, risk assessment, exploit details, threat intel, and remediation guidance.

CVE-2026-28495 vulnerability details – vuln.today

Back

PHP CVE-2026-28495

CVSS VectorNVD

Lifecycle Timeline

DescriptionNVD

AnalysisAI

RemediationAI

Full analysis requires sign-in

Share

External POC / Exploit Code