CVE-2026-11975 - Vulnerability Details - OpenCVE

Stored cross-site scripting (XSS) in NewsItemApiController In SimplCommerce prior to commit 6142d3b5 allows an authenticated administrator to execute arbitrary JavaScript via the ShortContent and FullContent fields, which are stored without HTML sanitization and rendered unencoded via @Html.Raw()

Attack Vector Network

Attack Complexity Low

Privileges Required High

Attack Requirements None

User Interaction Passive

Vulnerable System Confidentiality Impact None

Vulnerable System Integrity Impact Low

Vulnerable System Availability Impact None

Subsequent System Confidentiality Impact High

Subsequent System Integrity Impact High

Subsequent System Availability Impact None

No CVSS v3.1

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Simplcommerce	Simplcommerce

No data.

No data.

References

Link	Providers
https://github.com/simplcommerce/SimplCommerce/commit/6142d3b5147899e0edb41663ae20183878ab39f7
https://github.com/simplcommerce/SimplCommerce/pull/1151

History

Wed, 17 Jun 2026 14:00:00 +0000

Type	Values Removed	Values Added
First Time appeared		Simplcommerce Simplcommerce simplcommerce
Vendors & Products		Simplcommerce Simplcommerce simplcommerce

Wed, 17 Jun 2026 12:45:00 +0000

Type	Values Removed	Values Added
Description		Stored cross-site scripting (XSS) in NewsItemApiController In SimplCommerce prior to commit 6142d3b5 allows an authenticated administrator to execute arbitrary JavaScript via the ShortContent and FullContent fields, which are stored without HTML sanitization and rendered unencoded via @Html.Raw()
Title		Stored Cross-Site Scripting (XSS) in SimplCommerce News Module Admin Interface
Weaknesses		CWE-79
References		https://github.com/simplcommerce/SimplCommerce/commit/6142d3b5147899e0edb41663ae20183878ab39f7 https://github.com/simplcommerce/SimplCommerce/pull/1151
Metrics		cvssV4_0 `{'score': 6.2, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:N/VI:L/VA:N/SC:H/SI:H/SA:N'}`

MITRE

Status: PUBLISHED

Assigner: Checkmarx

Published: 2026-06-17T12:18:28.771Z

Updated: 2026-06-17T15:03:17.782Z

Reserved: 2026-06-11T11:55:32.835Z

Link: CVE-2026-11975

Vulnrichment

No data.

NVD

No data.

Redhat

No data.

{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-11975", "assignerOrgId": "596c5446-0ce5-4ba2-aa66-48b3b757a647", "state": "PUBLISHED", "assignerShortName": "Checkmarx", "dateReserved": "2026-06-11T11:55:32.835Z", "datePublished": "2026-06-17T12:18:28.771Z", "dateUpdated": "2026-06-17T15:03:17.782Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "596c5446-0ce5-4ba2-aa66-48b3b757a647", "shortName": "Checkmarx", "dateUpdated": "2026-06-17T12:18:28.771Z"}, "title": "Stored Cross-Site Scripting (XSS) in SimplCommerce News Module Admin Interface", "datePublic": "2026-06-17T12:01:00.000Z", "problemTypes": [{"descriptions": [{"lang": "en", "cweId": "CWE-79", "description": "CWE-79 Improper neutralization of input during web page generation ('cross-site scripting')", "type": "CWE"}]}], "impacts": [{"capecId": "CAPEC-63", "descriptions": [{"lang": "en", "value": "CAPEC-63 Cross-Site Scripting (XSS)"}]}], "affected": [{"vendor": "simplcommerce", "product": "SimplCommerce", "repo": "https://github.com/simplcommerce/SimplCommerce", "versions": [{"status": "affected", "version": "0", "lessThan": "6142d3b5", "changes": [{"at": "6142d3b5", "status": "unaffected"}], "versionType": "git"}], "defaultStatus": "affected"}], "descriptions": [{"lang": "en", "value": "Stored cross-site scripting (XSS) in NewsItemApiController\u00a0In SimplCommerce prior to commit 6142d3b5\u00a0allows an authenticated administrator to execute arbitrary JavaScript via the ShortContent and FullContent fields, which are stored without HTML\u00a0sanitization and rendered unencoded via @Html.Raw()", "supportingMedia": [{"type": "text/html", "base64": false, "value": "<p>Stored cross-site scripting (XSS) in <code>NewsItemApiController</code> In SimplCommerce prior to commit <code>6142d3b5</code> allows an authenticated administrator to execute arbitrary JavaScript via the <code>ShortContent</code> and <code>FullContent</code> fields, which are stored without HTML <span>sanitization and rendered unencoded via </span><code>@Html.Raw()</code></p>"}]}], "references": [{"url": "https://github.com/simplcommerce/SimplCommerce/pull/1151"}, {"url": "https://github.com/simplcommerce/SimplCommerce/commit/6142d3b5147899e0edb41663ae20183878ab39f7", "tags": ["patch"]}], "metrics": [{"format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}], "cvssV4_0": {"attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "HIGH", "userInteraction": "PASSIVE", "vulnConfidentialityImpact": "NONE", "subConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "LOW", "subIntegrityImpact": "HIGH", "vulnAvailabilityImpact": "NONE", "subAvailabilityImpact": "NONE", "exploitMaturity": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED", "version": "4.0", "baseSeverity": "MEDIUM", "baseScore": 6.2, "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:N/VI:L/VA:N/SC:H/SI:H/SA:N"}}], "source": {"discovery": "UNKNOWN"}, "x_generator": {"engine": "Vulnogram 1.0.2"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-06-17T15:03:11.260904Z", "id": "CVE-2026-11975", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-06-17T15:03:17.782Z"}}]}}