CVE-2021-47738 MEDIUM

CVE-2021-47738: CSZ CMS 1.2.7 Persistent Cross-Site Scripting via Private Messaging

Vendor Cszcms

Product CSZ CMS

Weakness CWE-79 · XSS

Published December 23, 2025

Last update April 7, 2026

View on NVD All CVEs

CVSS base score

5.1/10

Attack vector Network

Attack complexity Low

Privileges required Low

User interaction —

Confidentiality —

Integrity —

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N

What the vulnerability does

01Description

CSZ CMS 1.2.7 contains a persistent cross-site scripting vulnerability that allows unauthorized users to embed malicious JavaScript in private messages. Attackers can send messages with script payloads in the user-agent header, which will execute when an admin views the message in the backend dashboard.

Key dates

02Disclosure timeline

December 23, 2025 CVE published

April 7, 2026 Record updated

External resources

03References

NVD — National Vulnerability Database https://nvd.nist.gov/vuln/detail/CVE-2021-47738 CWE — Common Weakness Enumeration https://cwe.mitre.org/data/definitions/79.html

Related vulnerabilities

04Related CVE

CVE-2024-34687 Cross-Site Scripting (XSS) vulnerability in SAP NetWeaver Application server for ABAP and ABAP Platform CVE-2023-4944 Awesome Weather Widget <= 3.0.2 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode CVE-2025-64863 Adobe Experience Manager | Cross-site Scripting (Stored XSS) (CWE-79) CVE-2022-2378 Easy Student Results <= 2.2.8 - Reflected Cross-Site Scripting CVE-2025-26536 WordPress Another Events Calendar Plugin <= 1.7.0 - Reflected Cross Site Scripting (XSS) vulnerability