CVE-2021-47720 HIGH

CVE-2021-47720: Orangescrum 1.8.0 Authenticated SQL Injection via Multiple Parameters

Vendor Orangescrum
Product orangescrum
Weakness CWE-89 · SQLi
Published December 23, 2025
Last update April 7, 2026

CVSS base score

8.7/10
Attack vector Network
Attack complexity Low
Privileges required Low
User interaction None
Confidentiality
Integrity

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:L/SC:N/SI:N/SA:N

What the vulnerability does

01Description

Orangescrum 1.8.0 contains an authenticated SQL injection vulnerability that allows authorized users to manipulate database queries through multiple vulnerable parameters. Attackers can inject malicious SQL code into parameters like old_project_id, project_id, uuid, and uniqid to potentially extract or modify database information.

Key dates

02Disclosure timeline

December 23, 2025 CVE published
April 7, 2026 Record updated