Medium severity6.4NVD Advisory· Published May 10, 2026· Updated May 13, 2026

CVE-2021-47931

Description

Exponent CMS 2.6 contains a stored cross-site scripting vulnerability that allows authenticated attackers to inject malicious scripts through the Title and Text Block parameters in the text editing endpoint. Attackers can inject iframe payloads with embedded SVG onload events to execute arbitrary JavaScript, and the application also exposes database credentials in responses and lacks brute-force protection on authentication endpoints.

Affected products

Exponent/Exponent CMSinferred
Range: =2.6

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

www.exploit-db.com/exploits/50611nvd
www.exponentcms.orgnvd
www.vulncheck.com/advisories/exponent-cms-multiple-vulnerabilities-stored-xss-authenticationnvd

News mentions

No linked articles in our index yet.

cvss	0.416
epss	0.000
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000