CVE-2021-47931
published 2026-05-10CVE-2021-47931: Exponent CMS 2.6 contains a stored cross-site scripting vulnerability that allows authenticated attackers to inject malicious scripts through the Title and…
PriorityP433medium6.4CVSS 3.1
AVNACLPRLUINSCCLILAN
EPSS
0.21%
11.6th percentile
Exponent CMS 2.6 contains a stored cross-site scripting vulnerability that allows authenticated attackers to inject malicious scripts through the Title and Text Block parameters in the text editing endpoint. Attackers can inject iframe payloads with embedded SVG onload events to execute arbitrary JavaScript. The application also exposes database credentials in responses and lacks brute-force protection on authentication endpoints.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| exponentcms | exponent_cms | <= 2.6 | — |
CVSS provenance
nvdv3.16.4MEDIUMCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N
nvdv4.05.1MEDIUMCVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-6jxm-mv8c-gh34: Exponent CMS 2
ghsa_unreviewed·2026-05-10
CVE-2021-47931 [MEDIUM] CWE-79 GHSA-6jxm-mv8c-gh34: Exponent CMS 2
Exponent CMS 2.6 contains a stored cross-site scripting vulnerability that allows authenticated attackers to inject malicious scripts through the Title and Text Block parameters in the text editing endpoint. Attackers can inject iframe payloads with embedded SVG onload events to execute arbitrary JavaScript, and the application also exposes database credentials in responses and lacks brute-force protection on authentication endpoints.
VulDB
Exponentcms Exponent CMS up to 2.6 Title/Text cross site scripting (Exploit 50611 / EDB-50611)
vuldb·2026-05-10·CVSS 5.1
CVE-2021-47931 [MEDIUM] Exponentcms Exponent CMS up to 2.6 Title/Text cross site scripting (Exploit 50611 / EDB-50611)
A vulnerability was found in Exponentcms Exponent CMS up to 2.6 and classified as problematic. Affected by this issue is some unknown functionality. Executing a manipulation of the argument Title/Text can lead to cross site scripting.
This vulnerability is handled as CVE-2021-47931. The attack can be executed remotely. Additionally, an exploit exists.
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
2026-05-10
Published