CVE-2021-47716 MEDIUM

CVE-2021-47716: Orangescrum 1.8.0 Cross-Site Scripting via Authenticated Endpoints

Vendor Orangescrum

Product orangescrum

Weakness CWE-79 · XSS

Published December 23, 2025

Last update April 7, 2026

View on NVD All CVEs

CVSS base score

5.1/10

Attack vector Network

Attack complexity Low

Privileges required Low

User interaction —

Confidentiality —

Integrity —

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N

What the vulnerability does

01Description

Orangescrum 1.8.0 contains multiple cross-site scripting vulnerabilities that allow authenticated attackers to inject malicious scripts through various input parameters. Attackers can exploit parameters like 'projid', 'CS_message', and 'name' to execute arbitrary JavaScript code in victim's browsers by submitting crafted payloads through application endpoints.

Key dates

02Disclosure timeline

December 23, 2025 CVE published

April 7, 2026 Record updated

External resources

03References

NVD — National Vulnerability Database https://nvd.nist.gov/vuln/detail/CVE-2021-47716 CWE — Common Weakness Enumeration https://cwe.mitre.org/data/definitions/79.html

Related vulnerabilities

04Related CVE

CVE-2024-8788 EU/UK VAT Manager for WooCommerce <= 2.12.12 - Reflected Cross-Site Scripting CVE-2025-60099 WordPress Embed Any Document Plugin <= 2.7.7 - Cross Site Scripting (XSS) Vulnerability CVE-2025-62793 eLabFTW HTML / CSS Injection via Malicious SVG Upload Leads to Credential Theft / Clickjacking CVE-2023-28687 Reflected Cross-Site Scripting (XSS) vulnerability in multiple WordPress themes CVE-2025-53903 The Scratch Channel Has Potential Cross-Site Scripting (XSS) Vulnerability