Unauthenticated Information Disclosure via .htaccess Reliance in Sensitive Directories

8.7 / 10

HIGH

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N

Description

GetSimple CMS is a content management system. All versions of GetSimple CMS rely on .htaccess files to restrict access to sensitive directories such as /data/ and /backups/. If Apache AllowOverride is disabled (common in hardened or shared hosting environments), these protections are silently ignored, allowing unauthenticated attackers to list and download sensitive files including authorization.xml, which contains cryptographic salts and API keys. This issue does not have a fix at the time of publication.

AI Analysis

Unauthenticated information disclosure via .htaccess reliance in sensitive directories

Basic Information

ID CVE-2026-27161

Source GitHub_M

Published Feb 20, 2026 at 23:19

Affected Product

Vendor GetSimpleCMS-CE

Product GetSimpleCMS-CE

Version <= 3.3.22

Affected Versions GetSimpleCMS-CE GetSimpleCMS-CE <= 3.3.22

CWE Classification

CWE-200

AI Assessment

AI Score 8.7 / 10

AI Severity High

Vendor GetSimpleCMS-CE

Product GetSimple CMS

Version <= 3.3.22

References

github.com /GetSimpleCMS-CE/GetSimpleCMS-CE/security/advisories/GHSA-f63g-xh6j-q56g

{
    "lastseen": "",
    "description": "GetSimple CMS is a content management system. All versions of GetSimple CMS rely on .htaccess files to restrict access to sensitive directories such as /data/ and /backups/. If Apache AllowOverride is disabled (common in hardened or shared hosting environments), these protections are silently ignored, allowing unauthenticated attackers to list and download sensitive files including authorization.xml, which contains cryptographic salts and API keys. This issue does not have a fix at the time of publication.",
    "published": "2026-02-20T23:19:08.413Z",
    "modified": "2026-02-20T23:19:08.413Z",
    "type": "cve",
    "title": "Unauthenticated Information Disclosure via .htaccess Reliance in Sensitive Directories",
    "source": "GitHub_M",
    "references": "https://github.com/GetSimpleCMS-CE/GetSimpleCMS-CE/security/advisories/GHSA-f63g-xh6j-q56g",
    "id": "CVE-2026-27161",
    "bulletinFamily": "",
    "cwe": [
        "CWE-200"
    ],
    "cvelist": null,
    "sourceData": "GetSimpleCMS-CE GetSimpleCMS-CE <= 3.3.22",
    "sourceHref": "",
    "cvss": {
        "score": 8.7,
        "severity": "HIGH",
        "vector": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N",
        "version": "4.0"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "",
    "category_name": "CVE",
    "post_link": "",
    "product": "GetSimpleCMS-CE",
    "version": "<= 3.3.22",
    "vendor": "GetSimpleCMS-CE",
    "ai_description": "Unauthenticated information disclosure via .htaccess reliance in sensitive directories",
    "ai_severity": "High",
    "ai_vendor": "GetSimpleCMS-CE",
    "ai_product": "GetSimple CMS",
    "ai_version": "<= 3.3.22",
    "ai_score": 8.7
}

Unauthenticated Information Disclosure via .htaccess Reliance in Sensitive Directories_CVE-2026-27161