CVE-2026-11975

UNKNOWN 0.0

Stored Cross-Site Scripting (XSS) in SimplCommerce News Module Admin Interface

CVSS Score

0.0

EPSS Score

0.0%

EPSS Percentile

0th

Stored cross-site scripting (XSS) in NewsItemApiController In SimplCommerce prior to commit 6142d3b5 allows an authenticated administrator to execute arbitrary JavaScript via the ShortContent and FullContent fields, which are stored without HTML sanitization and rendered unencoded via @Html.Raw()

CWE	CWE-79
Vendor	simplcommerce
Product	simplcommerce
Published	Jun 17, 2026

Stay Ahead of the Next One

Get instant alerts for simplcommerce simplcommerce

Be the first to know when new unknown vulnerabilities affecting simplcommerce simplcommerce are published — delivered to Slack, Telegram or Discord.

Get Free Alerts → Free · No credit card · 60 sec setup

Affected Versions

simplcommerce / SimplCommerce

0 < 6142d3b5

References

NVD ↗ CVE.org ↗ EPSS Data ↗

github.com: https://github.com/simplcommerce/SimplCommerce/pull/1151 github.com: https://github.com/simplcommerce/SimplCommerce/commit/6142d3b5147899e0edb41663ae20183878ab39f7