CVE-2021-43461

MEDIUM

Rumble Mail Server 0.51.3135 - Cross-Site Scripting via Servername Parameter

Title source: llm

Exploitation Summary

EIP tracks 1 public exploit for CVE-2021-43461. PoCs published by Mohammed Alshehri.

AI-analyzed exploit summary This exploit demonstrates a stored XSS vulnerability in Rumble Mail Server 0.51.3135 by injecting a malicious script into the 'servername' parameter via a POST request to the settings endpoint. The payload is reflected in the server's response, confirming the vulnerability.

Description

Cross Site Scripting (XSS) vulnerability exists in Rumble Mail Server 0.51.3135 via the servername parameter.

Exploits (1)

exploitdb WORKING POC

by Mohammed Alshehri · textwebappsmultiple

https://www.exploit-db.com/exploits/49253

View Code ZIP pw:eip

This exploit demonstrates a stored XSS vulnerability in Rumble Mail Server 0.51.3135 by injecting a malicious script into the 'servername' parameter via a POST request to the settings endpoint. The payload is reflected in the server's response, confirming the vulnerability.

Classification

Working Poc 100%

Attack Type

Xss

Complexity

Trivial

Reliability

Reliable

Target: Rumble Mail Server 0.51.3135

Auth required

Prerequisites: Access to the admin interface · Valid credentials for authentication

MITRE ATT&CK

T1189 - Drive-by Compromise

devstral-2 · analyzed Feb 18, 2026 Full analysis →

References (1)

Core 1

Core References

Exploit, Third Party Advisory, VDB Entry x_refsource_misc

https://www.exploit-db.com/exploits/49253

Scores

CVSS v3 5.4

EPSS 0.0056

EPSS Percentile 42.0%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

Details

CWE

CWE-79

Status published

Products (1)

rumble_mail_server_project/rumble_mail_server 0.51.3135

Published Apr 04, 2022

Tracked Since Feb 18, 2026