CVE-2025-48492HIGH 8.8EPSS p50.6%

CVE-2025-48492CVE-2025-48492

Description

GetSimple CMS is a content management system. In versions starting from 3.3.16 to 3.3.21, an authenticated user with access to the Edit component can inject arbitrary PHP into a component file and execute it via a crafted query string, resulting in Remote Code Execution (RCE). This issue is set to be patched in version 3.3.22.

Scoring

CVSS 3.18.8 (HIGH)
VectorCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
EPSS0.76% probability of exploitation · percentile 50.6% · 2026-06-18T12:00:27Z
Published2025-05-30
Last modified2025-06-04

Underlying weaknesses· 1

CWE-77

References

  1. https://github.com/GetSimpleCMS-CE/GetSimpleCMS-CE/security/advisories/GHSA-g435-p72m-p582
  2. https://github.com/GetSimpleCMS-CE/GetSimpleCMS-CE/security/advisories/GHSA-g435-p72m-p582

1

TypeTargetConfidenceTier
WeaknessImproper Neutralization of Special Elements used in a Command ('Command Injection')cwe-770%live

Related by meaning· 6

Nearest entities by semantic similarity across the cs-graph corpus.

CVE
CVE-2026-28495
CVE
CVE-2026-25510
CVE
CVE-2025-44071
CVE
CVE-2025-34506
CVE
CVE-2025-46109
CVE
CVE-2025-50707
Sourced from NVD + FIRST.org EPSS. Curated for EU compliance use cases by Adam Lundqvist, Founder at SQUR.