CVE-2021-42053

MEDIUM

django-unicorn < 0.36.0 - Cross-Site Scripting via Component Name

Title source: llm

Exploitation Summary

EIP tracks 1 public exploit for CVE-2021-42053. PoCs published by Raven Security Associates.

AI-analyzed exploit summary This exploit demonstrates a stored XSS vulnerability in django-unicorn <= 0.35.3 by sending a crafted AJAX request with an XSS payload in the 'task' field, which is then rendered in the response without proper escaping.

Description

The Unicorn framework through 0.35.3 for Django allows XSS via component.name.

Exploits (1)

exploitdb WORKING POC

by Raven Security Associates · textwebappspython

https://www.exploit-db.com/exploits/50393

View Code ZIP pw:eip

This exploit demonstrates a stored XSS vulnerability in django-unicorn <= 0.35.3 by sending a crafted AJAX request with an XSS payload in the 'task' field, which is then rendered in the response without proper escaping.

Classification

Working Poc 95%

Attack Type

Xss

Complexity

Trivial

Reliability

Reliable

Target: django-unicorn <= 0.35.3

Auth required

Prerequisites: Access to a vulnerable django-unicorn instance · Valid CSRF token

MITRE ATT&CK

T1189 - Drive-by Compromise

devstral-2 · analyzed Feb 18, 2026 Full analysis →

References (3)

Core 3

Core References

Patch, Third Party Advisory x_refsource_misc

https://github.com/adamghill/django-unicorn/pull/288/files

Exploit, Third Party Advisory x_refsource_misc

http://packetstormsecurity.com/files/164442/django-unicorn-0.35.3-Cross-Site-Scripting.html

Patch, Third Party Advisory x_refsource_misc

https://github.com/adamghill/django-unicorn/compare/0.35.3...0.36.0

Scores

CVSS v3 5.4

EPSS 0.0031

EPSS Percentile 54.5%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

Details

CWE

CWE-79

Status published

Products (2)

django-unicorn/unicorn < 0.35.3

pypi/django-unicorn 0 - 0.36.0PyPI

Published Oct 07, 2021

Tracked Since Feb 18, 2026