CVE-2026-27161 HIGH

CVE-2026-27161: Unauthenticated Information Disclosure via .htaccess Reliance in Sensitive Directories

Vendor Getsimplecms-Ce
Product GetSimpleCMS-CE
Weakness CWE-200 · Info exposure
Published February 20, 2026
Last update February 25, 2026
View on NVD All CVEs

CVSS base score

8.7/10
Attack vector Network
Attack complexity Low
Privileges required None
User interaction None
Confidentiality
Integrity

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N

What the vulnerability does

01Description

GetSimple CMS is a content management system. All versions of GetSimple CMS rely on .htaccess files to restrict access to sensitive directories such as /data/ and /backups/. If Apache AllowOverride is disabled (common in hardened or shared hosting environments), these protections are silently ignored, allowing unauthenticated attackers to list and download sensitive files including authorization.xml, which contains cryptographic salts and API keys. This issue does not have a fix at the time of publication.

Key dates

02Disclosure timeline

February 20, 2026 CVE published
February 25, 2026 Record updated

Related vulnerabilities

04Related CVE

CVE-2025-9808 The Events Calendar <= 6.15.2 - Missing Authorization to Unauthenticated Password-Protected Information Disclosure CVE-2026-1194 MineAdmin Swagger information disclosure CVE-2023-3349 Information exposure on IBERMATICA RPS CVE-2025-11997 Document Pro Elementor – Documentation & Knowledge Base <= 1.0.9 - Unauthenticated Information Exposure CVE-2023-43791 Label Studio has Hardcoded Django `SECRET_KEY` that can be Abused to Forge Session Tokens