CVE-2021-47907

MEDIUM 6.4

Rocket LMS 1.1 Persistent Cross-Site Scripting via Support Tickets

CVSS Score

6.4

EPSS Score

0.0%

EPSS Percentile

0th

Rocket LMS 1.1 contains a persistent cross-site scripting vulnerability in the support ticket module that allows authenticated users to inject malicious script code through the title parameter. Attackers can submit support tickets with embedded HTML/JavaScript payloads that execute in the browsers of other users viewing the message history, enabling session hijacking and phishing attacks.

CWE	CWE-79
Vendor	rocketsoft
Product	rocket lms
Published	May 10, 2026
Last Updated	May 11, 2026

Stay Ahead of the Next One

Get instant alerts for rocketsoft rocket lms

Be the first to know when new medium vulnerabilities affecting rocketsoft rocket lms are published — delivered to Slack, Telegram or Discord.

Get Free Alerts → Free · No credit card · 60 sec setup

CVSS v3 Breakdown

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N

Attack Vector

Network

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Changed

Confidentiality

None

Integrity

None

Availability

None

Affected Versions

Rocketsoft / Rocket LMS

1.1

References

NVD ↗ CVE.org ↗ EPSS Data ↗

exploit-db.com: https://www.exploit-db.com/exploits/50677 lms.rocket-soft.org: https://lms.rocket-soft.org/ vulncheck.com: https://www.vulncheck.com/advisories/rocket-lms-persistent-cross-site-scripting-via-support-tickets

Credits

Vulnerability-Lab