CVE-2026-27161— Unauthenticated Information Disclosure via .htaccess Reliance in Sensitive Directories
Get alerts for future matching vulnerabilitiesLog in to subscribe
I. Basic Information for CVE-2026-27161
Vulnerability Information
Have questions about the vulnerability? See if Shenlong's analysis helps!
View Shenlong Deep Dive ↗ Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
Unauthenticated Information Disclosure via .htaccess Reliance in Sensitive Directories
Source: NVD (National Vulnerability Database)
Vulnerability Description
GetSimple CMS is a content management system. All versions of GetSimple CMS rely on .htaccess files to restrict access to sensitive directories such as /data/ and /backups/. If Apache AllowOverride is disabled (common in hardened or shared hosting environments), these protections are silently ignored, allowing unauthenticated attackers to list and download sensitive files including authorization.xml, which contains cryptographic salts and API keys. This issue does not have a fix at the time of publication.
Source: NVD (National Vulnerability Database)
CVSS Information
N/A
Source: NVD (National Vulnerability Database)
Vulnerability Type
信息暴露
Source: NVD (National Vulnerability Database)
Vulnerability Title
GetSimple CMS 信息泄露漏洞
Source: CNNVD (China National Vulnerability Database)
Vulnerability Description
GetSimple CMS是GetSimple CMS开源的一个内容管理系统。 GetSimple CMS存在信息泄露漏洞,该漏洞源于依赖.htaccess文件限制敏感目录访问,当Apache AllowOverride被禁用时,这些保护会被静默忽略,可能导致未经验证的攻击者列出和下载包含加密盐和API密钥的敏感文件。
Source: CNNVD (China National Vulnerability Database)
CVSS Information
N/A
Source: CNNVD (China National Vulnerability Database)
Vulnerability Type
N/A
Source: CNNVD (China National Vulnerability Database)
Affected Products
| Vendor | Product | Affected Versions | CPE | Subscribe |
|---|---|---|---|---|
| GetSimpleCMS-CE | GetSimpleCMS-CE | <= 3.3.22 | - |
II. Public POCs for CVE-2026-27161
| # | POC Description | Source Link | Shenlong Link |
|---|
AI-Generated POCPremium
No public POC found.
Login to generate AI POCIII. Intelligence Information for CVE-2026-27161
请登录查看更多情报信息。
Same Patch Batch · GetSimpleCMS-CE · 2026-02-20 · 4 CVEs total
| CVE-2026-27146 | GetSimple CMS: Cross-Site Request Forgery (CSRF) in File Upload Allows Arbitrary Uploads | |
| CVE-2026-27147 | GetSimple CMS: Stored Cross-Site Scripting (XSS) via SVG File Upload (Authenticated) | |
| CVE-2026-27202 | GetSimple CMS: Uploaded Files (feature) Arbitrary File Read Vulnerability |
IV. Related Vulnerabilities
Same product: GetSimpleCMS-CE
- CVE-2026-28495
GetSimple CMS has CSRF to Remote Code Execution via Arbitrar - CVE-2026-26351
GetSimpleCMS-CE < 3.3.22 Stored XSS via components.php - CVE-2026-27202
GetSimple CMS: Uploaded Files (feature) Arbitrary File Read - CVE-2026-27147
GetSimple CMS: Stored Cross-Site Scripting (XSS) via SVG Fil - CVE-2026-27146
GetSimple CMS: Cross-Site Request Forgery (CSRF) in File Up
Same vendor: GetSimpleCMS-CE
- CVE-2026-28495
GetSimple CMS has CSRF to Remote Code Execution via Arbitrar - CVE-2026-26351
GetSimpleCMS-CE < 3.3.22 Stored XSS via components.php - CVE-2026-27202
GetSimple CMS: Uploaded Files (feature) Arbitrary File Read - CVE-2026-27147
GetSimple CMS: Stored Cross-Site Scripting (XSS) via SVG Fil - CVE-2026-27146
GetSimple CMS: Cross-Site Request Forgery (CSRF) in File Up
Same weakness: CWE-200
- CVE-2026-42333
quarkus-openapi-generator has overly broad path-parameter ma - CVE-2026-8198
Activity Logs, User Activity Tracking, Multisite Activity Lo - CVE-2026-42456
AnythingLLM: Cross-User TTS Audio Disclosure via Chat ID (ID - CVE-2026-41520
Cillium exposes sensitive information included in the cilium - CVE-2026-25199
Apache CloudStack: Proxmox Extension Allows Unauthorized Cro
V. Comments for CVE-2026-27161
No comments yet