CVE-2021-40926
Description
Cross-site scripting (XSS) vulnerability in getID3's demo.mysqli.php via the showtagfiles parameter, affecting versions 1.X and 2.0.0-beta.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Cross-site scripting (XSS) vulnerability in getID3's demo.mysqli.php via the showtagfiles parameter, affecting versions 1.X and 2.0.0-beta.
Vulnerability
A reflected cross-site scripting (XSS) vulnerability exists in the demos/demo.mysqli.php file of the getID3 library (versions 1.X and v2.0.0-beta). The showtagfiles parameter is not properly sanitized before being rendered, allowing an attacker to inject arbitrary web script or HTML. This affects all installations using the demo script with default configurations [1][3].
Exploitation
An attacker can craft a malicious URL containing the payload in the showtagfiles parameter and trick a victim into clicking it. No authentication is required to access the demo script if it is exposed on a web server. The payload is reflected in the response and executed in the victim's browser context [2][3].
Impact
Successful exploitation leads to arbitrary JavaScript execution in the context of the affected origin, enabling actions such as session hijacking, credential theft, or defacement. The attacker does not gain file read/write or server-side code execution, but achieves standard client-side XSS impact [3].
Mitigation
The vulnerability is fixed in getID3 version 1.9.21, released September 22, 2021, which includes a proper sanitization of the showtagfiles parameter [4]. Users should update to at least version 1.9.21 or later. As a workaround, restrict access to the demo script (e.g., remove or protect demos/demo.mysqli.php) until an upgrade can be performed [2][4].
AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
james-heinrich/getid3Packagist | >= 1.0.0, < 1.9.21 | 1.9.21 |
Affected products
2- getID3/getID3description
Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"Missing output sanitization of the `showtagfiles` parameter in `demos/demo.mysqli.php` allows reflected cross-site scripting."
Attack vector
An attacker crafts a URL containing a malicious JavaScript payload in the `showtagfiles` query parameter, e.g. `?showtagfiles=<script>alert(1)</script>`. When a victim visits this URL, the browser executes the injected script because the parameter value is echoed back into the HTML without proper escaping [CWE-79]. No authentication or special network position is required; the attack is delivered via a simple HTTP GET request to the publicly accessible demo page.
Affected code
The vulnerability is in the demo file `demos/demo.mysqli.php` included with getID3 1.x and v2.0.0-beta. The file does not sanitize the `showtagfiles` parameter before reflecting it in the page output.
What the fix does
No patch is shown in the bundle. The advisory [ref_id=1] identifies the vulnerable file (`demos/demo.mysqli.php`) but does not include a fix commit or remediation guidance. To close the vulnerability, the `showtagfiles` parameter must be sanitized with `htmlspecialchars()` or similar output-encoding before being rendered in the HTML response, preventing script injection.
Preconditions
- configThe getID3 installation must have the demos/ directory accessible via a web server
- networkAttacker must be able to send HTTP requests to the server hosting the demo file
- authNo authentication required
Generated on May 27, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
5- github.com/advisories/GHSA-x2gw-85w6-fjjwghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2021-40926ghsaADVISORY
- github.com/JamesHeinrich/getID3/issues/341ghsax_refsource_MISCWEB
- github.com/JamesHeinrich/getID3/pull/342ghsaWEB
- github.com/JamesHeinrich/getID3/releases/tag/v1.9.21ghsaWEB
News mentions
0No linked articles in our index yet.