Medium severity6.4NVD Advisory· Published May 10, 2026· Updated May 12, 2026

CVE-2021-47947

Description

Projectsend r1295 contains a stored cross-site scripting vulnerability that allows authenticated attackers to inject malicious scripts by submitting crafted input in the 'name' parameter of files-edit.php. Attackers can inject JavaScript payloads through the file name field that execute in the browser when the file is viewed by other users, particularly affecting System Administrator users on the Dashboard page.

Affected products

Projectsend/Projectsendinferred
Range: =r1295

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

www.exploit-db.com/exploits/50240nvd
www.projectsend.orgnvd
www.projectsend.org/download/387/nvd
www.vulncheck.com/advisories/projectsend-r1295-stored-cross-site-scripting-via-files-edit-phpnvd

News mentions

No linked articles in our index yet.

cvss	0.416
epss	0.000
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000