CVE-2021-33387
Description
Cross Site Scripting Vulnerability in MiniCMS v.1.10 allows attacker to execute arbitrary code via a crafted get request.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
MiniCMS v1.10 is vulnerable to reflected cross-site scripting (XSS) via a crafted GET request, allowing arbitrary JavaScript execution.
Vulnerability
MiniCMS v1.10 contains a reflected cross-site scripting (XSS) vulnerability. An attacker can inject arbitrary JavaScript into the application through a crafted GET request. The issue arises due to insufficient sanitization of user input before reflection in the response. This is confirmed in the GitHub issue report [1].
Exploitation
An attacker crafts a malicious URL containing the XSS payload and sends it to a victim. No authentication or prior access is required. The victim simply needs to click the link while logged into MiniCMS, triggering the injected script in their browser.
Impact
Successful exploitation allows arbitrary JavaScript execution in the context of the victim's session. This can lead to session hijacking, defacement, data theft, or other client-side attacks. The attacker does not gain server-side code execution, despite the CVE description's mention of "arbitrary code" — that refers to JavaScript in the browser.
Mitigation
As of the publication date, no official patch has been released by the vendor. Users are advised to sanitize and validate all user input, especially GET parameters, or upgrade to a newer version if available. The issue is tracked in the project's GitHub repository [1].
AI Insight generated on May 25, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
1Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
1News mentions
0No linked articles in our index yet.