Stored Cross-Site Scripting Vulnerability in SimplCommerce by SimplCommerce
CVE-2026-11975

6.2MEDIUM

Key Information:

Vendor: Simplcommerce
Status: Simplcommerce
Vendor: CVE Published:; 17 June 2026

🔔 Create Simplcommerce Vulnerability Alert

What is CVE-2026-11975?

The stored cross-site scripting vulnerability in SimplCommerce allows authenticated administrators to inject and execute arbitrary JavaScript code. This occurs through the ShortContent and FullContent fields, which lack proper HTML sanitization and are rendered unencoded using @Html.Raw(). This flaw can be exploited to compromise the integrity of the application and potentially gain unauthorized access to sensitive data or perform malicious actions within the application's context.

Affected Version(s)

SimplCommerce 0

References

https://github.com/simplcommerce/SimplCommerce/pull/1151

https://github.com/simplcommerce/SimplCommerce/commit/614...

patch

CVSS V4

Score:

6.2

Severity:

MEDIUM

Confidentiality:

None

Integrity:

Low

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Attack Required:

None

Privileges Required:

Undefined

User Interaction:

Unknown

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jun 17, 2026
Vulnerability Reserved
Jun 11, 2026

CVE-2026-11975 Data

JSON