Moderate severityNVD Advisory· Published Nov 24, 2021· Updated Aug 3, 2024

CVE-2021-20848

Description

Cross-site scripting vulnerability in rwtxt versions prior to v1.8.6 allows a remote attacker to inject an arbitrary script via unspecified vectors.

Affected packages

Versions sourced from the GitHub Security Advisory.

Package	Affected versions	Patched versions
github.com/schollz/rwtxtGo	< 1.8.6	1.8.6

Affected products

Zack Scholl/Rwtxtv5
Range: versions prior to v1.8.6

Patches

c09fb17375c4

sanitize url

https://github.com/schollz/rwtxtZack SchollJul 26, 2021via ghsa

commit

1 file changed · +4 −1

rwtxt.go+4 −1 modified

@@ -11,12 +11,15 @@ import (
 	"time"
 
 	"github.com/gorilla/websocket"
+	"github.com/microcosm-cc/bluemonday"
 	"github.com/schollz/documentsimilarity"
 	log "github.com/schollz/logger"
 	"github.com/schollz/rwtxt/pkg/db"
 	"github.com/schollz/rwtxt/pkg/utils"
 )
 
+var pbclean = bluemonday.UGCPolicy()
+
 const DefaultBind = ":8152"
 
 type RWTxt struct {
@@ -216,7 +219,7 @@ Disallow: /`))
 		return rwt.handleStatic(w, r)
 	}
 
-	fields := strings.Split(r.URL.Path, "/")
+	fields := strings.Split(pbclean.Sanitize(r.URL.Path), "/")
 
 	tr := NewTemplateRender(rwt)
 	tr.Domain = "public"

Vulnerability mechanics

Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

github.com/advisories/GHSA-458f-26r3-x2c3ghsaADVISORY
nvd.nist.gov/vuln/detail/CVE-2021-20848ghsaADVISORY
github.com/schollz/rwtxt/commit/c09fb17375c4c47b49524c688288af1fe20e730aghsaWEB
jvn.jp/en/jp/JVN22515597/index.htmlghsax_refsource_MISCWEB

News mentions

No linked articles in our index yet.

cvss	0.260
epss	0.000
exploit	0.000
kev	0.000
patch	-0.070
ransomware	0.000