CVE-2021-31721
MEDIUMChevereto < 3.17.1 - Cross-Site Scripting via Image Title Upload
Title source: llmExploitation Summary
EIP tracks 1 public exploit for CVE-2021-31721. PoCs published by Akıner Kısa.
AI-analyzed exploit summary This exploit demonstrates a stored XSS vulnerability in Chevereto 3.17.1 by injecting malicious JavaScript into the image title field. The payload executes when the image is viewed.
Description
Chevereto before 3.17.1 allows Cross Site Scripting (XSS) via an image title at the image upload stage.
Exploits (1)
exploitdb
WORKING POC
by Akıner Kısa · textwebappsmultiple
https://www.exploit-db.com/exploits/49859
This exploit demonstrates a stored XSS vulnerability in Chevereto 3.17.1 by injecting malicious JavaScript into the image title field. The payload executes when the image is viewed.
Classification
Working Poc 90%
Attack Type
Xss
Complexity
Trivial
Reliability
Reliable
Target:
Chevereto 3.17.1
Auth required
Prerequisites:
User account with upload permissions · Image upload functionality enabled
MITRE ATT&CK
devstral-2 · analyzed Feb 16, 2026
Full analysis →
References (3)
Core 3
Core References
Vendor Advisory x_refsource_misc
http://chevereto.com
Exploit, Third Party Advisory, VDB Entry x_refsource_misc
https://www.exploit-db.com/exploits/49859
Exploit, Third Party Advisory, VDB Entry x_refsource_misc
http://packetstormsecurity.com/files/164183/Cloudron-6.2-Cross-Site-Scripting.html
Scores
CVSS v3
6.1
EPSS
0.0125
EPSS Percentile
65.5%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Details
CWE
CWE-79
Status
published
Products (1)
chevereto/chevereto
< 3.17.1
Published
Jun 30, 2021
Tracked Since
Feb 18, 2026