CVE-2021-25993 MEDIUM

CVE-2021-25993: Requarks wiki.js - Stored Cross-Site Scripting (XSS) in markdown editor

Vendor Requarks
Product wiki
Weakness CWE-79 · XSS
Published December 29, 2021
Last update April 30, 2025
View on NVD All CVEs

CVSS base score

5.4/10
Attack vector Network
Attack complexity Low
Privileges required Low
User interaction Required
Confidentiality Low
Integrity Low

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

What the vulnerability does

01Description

In Requarks wiki.js, versions 2.0.0-beta.147 to 2.5.255 are affected by Stored XSS vulnerability, where a low privileged (editor) user can upload a SVG file that contains malicious JavaScript while uploading assets in the page. That will send the JWT tokens to the attacker’s server and will lead to account takeover when accessed by the victim.

Key dates

02Disclosure timeline

December 29, 2021 CVE published
April 30, 2025 Record updated

Related vulnerabilities

04Related CVE

CVE-2026-21855 Tarkov Data Manager has Unauthenticated Reflected XSS CVE-2024-28175 Cross-site scripting on application summary component in argo-cd CVE-2023-23982 WordPress WPFrom Email Plugin <= 1.8.8 is vulnerable to Cross Site Scripting (XSS) CVE-2025-9061 Wilmer Core <= 2.4.5 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode CVE-2020-5398 RFD Attack via "Content-Disposition" Header Sourced from Request Input by Spring MVC or Spring WebFlux Application