CVE-2021-36654

MEDIUM

CMSuno 1.7 - Authenticated Stored Cross-Site Scripting via Theme Filename Parameter

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 1 public exploit for CVE-2021-36654. PoCs published by splint3rsec.

AI-analyzed exploit summary This is a writeup detailing a stored XSS vulnerability in CMSuno 1.7 and prior versions. The vulnerability requires authentication and involves injecting malicious JavaScript via the 'tgo' parameter in a POST request to the template's image filename.

Description

CMSuno 1.7 is vulnerable to an authenticated stored cross site scripting in modifying the filename parameter (tgo) while updating the theme.

Exploits (1)

exploitdb WRITEUP
by splint3rsec · textwebappsphp
https://www.exploit-db.com/exploits/50179

This is a writeup detailing a stored XSS vulnerability in CMSuno 1.7 and prior versions. The vulnerability requires authentication and involves injecting malicious JavaScript via the 'tgo' parameter in a POST request to the template's image filename.

Classification
Writeup 90%
Attack Type
Xss
Complexity
Trivial
Reliability
Reliable
Target: CMSuno 1.7 (and prior)
Auth required
Prerequisites: Authenticated access to CMSuno admin panel
devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (2)

Core 2
Core References
Exploit, Issue Tracking, Third Party Advisory x_refsource_misc
https://github.com/boiteasite/cmsuno/issues/17
Exploit, Third Party Advisory, VDB Entry x_refsource_misc
http://packetstormsecurity.com/files/163737/CMSuno-1.7-Cross-Site-Scripting.html

Scores

CVSS v3 5.4
EPSS 0.0194
EPSS Percentile 77.4%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

Details

CWE
CWE-79
Status published
Products (1)
cmsuno_project/cmsuno 1.7
Published Aug 03, 2021
Tracked Since Feb 18, 2026