CVE-2021-47844

Vulnerability

Description

Xmind 2020 suffers from a persistent cross-site scripting (XSS) vulnerability, identified as CWE-79. Attackers can inject malicious JavaScript payloads into mind mapping files or custom header titles. The injected code is stored and executed when the victim interacts with the file, such as moving the mouse or clicking, or simply by opening the file [1][3].

Exploitation

Exploitation requires user interaction: the victim must open a specially crafted Xmind file or view a header containing the payload. The attack vector is network-based with low complexity and no authentication required, though user interaction is necessary. Proof-of-concept exploits demonstrate encoding the payload as an HTML img tag with an onerror event that spawns a child process to execute system commands like reading /etc/passwd [1].

Impact

Successful exploitation can lead to remote code execution on the victim's machine with the privileges of the user running Xmind. The CVSS v3.1 score is 6.1 (Medium), while the exploit-db entry assigns a risk of 8.8 (High) reflecting the potential for full confidentiality, integrity, and availability impact [1][3].

Mitigation

As of the published date (January 2026), no patch or vendor advisory has been identified for this vulnerability. Users of Xmind 2020 should treat the software as end-of-life for security purposes. Mitigation includes avoiding opening untrusted Xmind files and not clicking on suspicious headers. The vulnerability is not currently listed in CISA's Known Exploited Vulnerabilities catalog.