What is the CVSS score of CVE-2026-28495?

CVE-2026-28495 has a CVSS 3.1 base score of 9.6 (Critical). CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H. EPSS exploitation probability: 0.1%.

Which versions of PHP are affected by CVE-2026-28495?

A critical vulnerability in GetSimple CMS allows authenticated administrators to inject malicious code into core configuration files, potentially compromising the entire web application and…

Is there a public PoC exploit available for CVE-2026-28495?

Yes, a public proof-of-concept exploit is available for CVE-2026-28495. Prioritise patching immediately. EPSS: 0.1%.

How to fix or mitigate CVE-2026-28495?

Within 24 hours: Audit all administrator accounts for unauthorized access and review recent configuration file modifications in audit logs. Within 7 days: Implement network segmentation to restrict admin panel access by IP, enforce multi-factor authentication for all admin accounts, and disable the massiveAdmin plugin if not operationally critical. Within 30 days: Evaluate migration to an alternative CMS with active security support, or implement strict code review processes and Web Application Firewall rules blocking gsconfig.php modifications until vendor patch availability.

PHP CVE-2026-28495

CRITICAL

Cross-Site Request Forgery (CSRF) (CWE-352)

2026-03-10 security-advisories@github.com

PHP RCE CSRF Getsimple Cms

9.6

CVSS 3.1 · GitHub Advisory

Severity by source

GitHub Advisory PRIMARY

9.6 CRITICAL

AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

Required

Scope

Changed

Confidentiality

High

Integrity

High

Availability

High

Lifecycle Timeline

Analysis Generated

Mar 12, 2026 - 21:55 vuln.today

PoC Detected

Mar 12, 2026 - 18:21 vuln.today

Public exploit code

CVE Published

Mar 10, 2026 - 20:16 nvd

CRITICAL 9.6

DescriptionGitHub Advisory

GetSimple CMS is a content management system. The massiveAdmin plugin (v6.0.3) bundled with GetSimpleCMS-CE v3.3.22 allows an authenticated administrator to overwrite the gsconfig.php configuration file with arbitrary PHP code via the gsconfig editor module. The form lacks CSRF protection, enabling a remote unauthenticated attacker to exploit this via Cross-Site Request Forgery against a logged-in admin, achieving Remote Code Execution (RCE) on the web server.

AnalysisAI

GetSimple CMS massiveAdmin plugin has a CSRF vulnerability enabling attackers to perform admin actions through crafted malicious pages.

Unlock full vulnerability intelligence

Risk assessment & exploitation conditions
Attack chain visualization
Remediation with exact patch versions
Threat intelligence from 22 sources
Personal watchlist & email alerts

Continue with Google Continue with GitHub

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access

Craft malicious CSRF page

Delivery

Lure logged-in admin to visit page

Exploit

Submit gsconfig editor form without CSRF token

Execution

Overwrite gsconfig.php with PHP code

Impact

Execute arbitrary code on server

Access

Craft malicious CSRF page

Delivery

Lure logged-in admin to visit page

Exploit

Submit gsconfig editor form without CSRF token

Execution

Overwrite gsconfig.php with PHP code

Impact

Execute arbitrary code on server

Vulnerability AssessmentAI

Exploitation	GetSimple CMS v3.3.22 with massiveAdmin plugin v6.0.3 bundled and enabled; target admin must be authenticated and visit attacker-controlled page; gsconfig editor module must lack CSRF token validation Additional conditions and limiting factors are described in the full assessment.
Risk Assessment	CVSS 9.6 with PoC. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario	An attacker creates a malicious webpage that, when visited by a GetSimple CMS admin, performs administrative actions like creating new admin accounts or modifying site content.
Remediation	Update the plugin. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: Audit all administrator accounts for unauthorized access and review recent configuration file modifications in audit logs. …

Threat intelligence, references, and detailed analysis are available after sign-in.

More from same product – last 7 days

CVE-2026-49952 CRITICAL Act Now POC

9.3 Jun 15

Authentication bypass in Discuz! X5.0 releases 20260320 through 20260501 allows unauthenticated remote attackers to acce

CVE-2026-49954 HIGH This Week POC

8.6 Jun 15

Authenticated remote code execution in Discuz! X5.0 releases 20260320 through 20260501 allows administrators to chain a

CVE-2026-49768 CRITICAL Act Now

9.8 Jun 15

Unauthenticated PHP Object Injection in the Happyforms WordPress plugin (versions <= 1.26.13) allows remote attackers to

CVE-2026-27053 CRITICAL Act Now

9.8 Jun 15

Unauthenticated PHP Object Injection in the Broadcast Live Video WordPress plugin (versions prior to 7.1.3) allows remot

CVE-2026-49104 CRITICAL Act Now

9.8 Jun 15

Unauthenticated PHP object injection in the WordPress plugin 'Integration for Keap/Infusionsoft and Contact Form 7, WPFo

CVE-2026-28495 vulnerability details – vuln.today

Back

PHP CVE-2026-28495

Severity by source

CVSS VectorGitHub Advisory

Lifecycle Timeline

DescriptionGitHub Advisory

AnalysisAI

Unlock full vulnerability intelligence

Attack ChainAIDerived

Vulnerability AssessmentAI

Recommended ActionAI

More from same product – last 7 days

Share

External POC / Exploit Code