GetSimple CMS versions 3.1.1 through 3.3.4 suffer from an XML external entity injection vulnerability.