CVE-2020-37238

MEDIUM 6.4

CMS Made Simple 2.2.15 Stored XSS via SVG File Upload

CVSS Score

6.4

EPSS Score

0.0%

EPSS Percentile

0th

CMS Made Simple 2.2.15 contains a stored cross-site scripting vulnerability that allows authenticated users with Content Manager access to inject malicious scripts through SVG file uploads. Attackers can upload SVG files containing embedded JavaScript to the file manager, which executes when other authenticated users access the uploaded file, enabling cookie theft and session hijacking.

CWE	CWE-79
Vendor	cmsmadesimple
Product	cms made simple
Published	May 16, 2026

Stay Ahead of the Next One

Get instant alerts for cmsmadesimple cms made simple

Be the first to know when new medium vulnerabilities affecting cmsmadesimple cms made simple are published — delivered to Slack, Telegram or Discord.

Get Free Alerts → Free · No credit card · 60 sec setup

CVSS v3 Breakdown

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N

Attack Vector

Network

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Changed

Confidentiality

None

Integrity

None

Availability

None

Affected Versions

Cmsmadesimple / CMS Made Simple

2.2.15

References

NVD ↗ CVE.org ↗ EPSS Data ↗

exploit-db.com: https://www.exploit-db.com/exploits/49199 cmsmadesimple.org: https://www.cmsmadesimple.org/ cmsmadesimple.org: https://www.cmsmadesimple.org/downloads vulncheck.com: https://www.vulncheck.com/advisories/cms-made-simple-stored-xss-via-svg-file-upload

Credits

Eshan Singh