CVE-2021-27237
MEDIUMBlackCat CMS 1.3.6 - Stored Cross-Site Scripting via Display Name Field
Title source: llmExploitation Summary
EIP tracks 1 public exploit for CVE-2021-27237. PoCs published by Kamaljeet Kumar.
AI-analyzed exploit summary This is a writeup describing a stored XSS vulnerability in BlackCat CMS 1.3.6. The exploit involves injecting an XSS payload into the 'Display name' field in the admin profile, which triggers when hovered over.
Description
The admin panel in BlackCat CMS 1.3.6 allows stored XSS (by an admin) via the Display Name field to backend/preferences/ajax_save.php.
Exploits (1)
exploitdb
WRITEUP
by Kamaljeet Kumar · textwebappsphp
https://www.exploit-db.com/exploits/49565
This is a writeup describing a stored XSS vulnerability in BlackCat CMS 1.3.6. The exploit involves injecting an XSS payload into the 'Display name' field in the admin profile, which triggers when hovered over.
Classification
Writeup 90%
Attack Type
Xss
Complexity
Trivial
Reliability
Reliable
Target:
BlackCat CMS 1.3.6
Auth required
Prerequisites:
Admin access to the BlackCat CMS panel
MITRE ATT&CK
devstral-2 · analyzed Feb 16, 2026
Full analysis →
References (3)
Core 3
Core References
Patch, Third Party Advisory x_refsource_misc
https://github.com/BlackCatDevelopment/BlackCatCMS/commits/release-1.4/upload/backend/preferences/ajax_save.php
Patch, Third Party Advisory x_refsource_misc
https://github.com/BlackCatDevelopment/BlackCatCMS/compare/1.3.6...1.4Beta
Exploit, Third Party Advisory, VDB Entry x_refsource_misc
https://www.exploit-db.com/exploits/49565
Scores
CVSS v3
4.8
EPSS
0.0096
EPSS Percentile
56.9%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N
Details
CWE
CWE-79
Status
published
Products (1)
blackcat-cms/blackcat_cms
1.3.6
Published
Feb 16, 2021
Tracked Since
Feb 18, 2026