CVE-2021-47931

MEDIUM 6.4

Exponent CMS 2.6 Multiple Vulnerabilities Stored XSS Authentication

CVSS Score

6.4

EPSS Score

0.0%

EPSS Percentile

0th

Exponent CMS 2.6 contains a stored cross-site scripting vulnerability that allows authenticated attackers to inject malicious scripts through the Title and Text Block parameters in the text editing endpoint. Attackers can inject iframe payloads with embedded SVG onload events to execute arbitrary JavaScript, and the application also exposes database credentials in responses and lacks brute-force protection on authentication endpoints.

CWE	CWE-79
Vendor	exponentcms
Product	exponent cms
Published	May 10, 2026
Last Updated	May 11, 2026

Stay Ahead of the Next One

Get instant alerts for exponentcms exponent cms

Be the first to know when new medium vulnerabilities affecting exponentcms exponent cms are published — delivered to Slack, Telegram or Discord.

Get Free Alerts → Free · No credit card · 60 sec setup

CVSS v3 Breakdown

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N

Attack Vector

Network

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Changed

Confidentiality

None

Integrity

None

Availability

None

Affected Versions

Exponentcms / Exponent CMS

0 ≤ 2.6

References

NVD ↗ CVE.org ↗ EPSS Data ↗

exploit-db.com: https://www.exploit-db.com/exploits/50611 exponentcms.org: https://www.exponentcms.org/ vulncheck.com: https://www.vulncheck.com/advisories/exponent-cms-multiple-vulnerabilities-stored-xss-authentication

Credits

picaro_o