CVE-2021-47925 | THREATINT

Description

CMDBuild 3.3.2 contains multiple stored cross-site scripting vulnerabilities that allow authenticated attackers to inject arbitrary web script or HTML via crafted input in card creation and file upload endpoints. Attackers can inject XSS payloads through Employee card parameters or SVG file attachments in the classes endpoint, which execute when other users view the affected records or preview attachments.

PUBLISHED Reserved 2026-02-01 | Published 2026-05-10 | Updated 2026-05-10 | Assigner VulnCheck

MEDIUM: 5.1CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N

MEDIUM: 6.4CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N

Problem types

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Product status

CMDBuild 3.3.2

affected

Credits

Hosein Vita finder

References

www.exploit-db.com/exploits/50527 (ExploitDB-50527) exploit

www.cmdbuild.org (Official Product Homepage) product

www.cmdbuild.org/en/download/latest-version (Product Reference) product

www.vulncheck.com/...ld-multiple-stored-cross-site-scripting (VulnCheck Advisory: CMDBuild 3.3.2 Multiple Stored Cross-Site Scripting) third-party-advisory

cve.org (CVE-2021-47925)

nvd.nist.gov (CVE-2021-47925)

Download JSON