CVE-2021-42136

CRITICAL

REDCap < 11.4.0 - Stored Cross-Site Scripting in Missing Data Codes

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 1 public exploit for CVE-2021-42136. PoCs published by Kendrick Lam.

AI-analyzed exploit summary This exploit demonstrates a stored XSS vulnerability in REDCap versions before 11.4.0, where JavaScript can be injected into Missing Data Code values. The payload escalates privileges by sending a crafted POST request to the server when viewed by an administrator.

Description

A stored Cross-Site Scripting (XSS) vulnerability in the Missing Data Codes functionality of REDCap before 11.4.0 allows remote attackers to execute JavaScript code in the client's browser by storing said code as a Missing Data Code value. This can then be leveraged to execute a Cross-Site Request Forgery attack to escalate privileges to administrator.

Exploits (1)

exploitdb WORKING POC
by Kendrick Lam · textwebappsphp
https://www.exploit-db.com/exploits/50877

This exploit demonstrates a stored XSS vulnerability in REDCap versions before 11.4.0, where JavaScript can be injected into Missing Data Code values. The payload escalates privileges by sending a crafted POST request to the server when viewed by an administrator.

Classification
Working Poc 95%
Attack Type
Xss
Complexity
Moderate
Reliability
Reliable
Target: REDCap before 11.4.0
Auth required
Prerequisites: Low-privileged user access to store Missing Data Code values · Administrator to view the malicious payload
devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (3)

Core 3
Core References
Product x_refsource_misc
https://www.project-redcap.org/
Release Notes, Third Party Advisory x_refsource_misc
https://redcap.med.usc.edu/_shib/assets/ChangeLog_Standard.pdf
Exploit, Third Party Advisory, VDB Entry x_refsource_misc
http://packetstormsecurity.com/files/166723/REDCap-Cross-Site-Scripting.html

Scores

CVSS v3 9.0
EPSS 0.0452
EPSS Percentile 90.3%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H

Details

CWE
CWE-79
Status published
Products (1)
vanderbilt/redcap < 11.4.0
Published Apr 13, 2022
Tracked Since Feb 18, 2026