CVE-2021-47947

MEDIUM EPSS 10.5%

Published May 10, 20261mo ago · Modified Jun 17, 20261w ago

5.1 CVSS 4.0

Medium

Published May 10, 2026 1mo ago

Last Modified Jun 17, 2026 1w ago

Description

Projectsend r1295 contains a stored cross-site scripting vulnerability that allows authenticated attackers to inject malicious scripts by submitting crafted input in the 'name' parameter of files-edit.php. Attackers can inject JavaScript payloads through the file name field that execute in the browser when the file is viewed by other users, particularly affecting System Administrator users on the Dashboard page.

CVSS Details

Base Score

5.1

Exploitability

—

Impact

—

Vector string

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Attack Vector Network

Attack Complexity Low

Privileges Required Low

User Interaction P

Scope X

Threat Intelligence

EPSS Exploit Probability

10.5% percentile

Exploit & Patch Status

No Known Exploit

No Patch Available

Weaknesses 1

CWE-79 Cross-site Scripting Injection

References 4

exploit-db.com https://www.exploit-db.com/exploits/50240
projectsend.org https://www.projectsend.org/
projectsend.org https://www.projectsend.org/download/387/
vulncheck.com https://www.vulncheck.com/advisories/projectsend-r1295-stored-cross-site-scripting-via-files-edit-php

Remediation

No remediation data recorded yet

Check vendor advisories and the NVD entry for patch availability.