CVE-2021-47835

HIGH

Freeter 1.2.1 - Stored Cross-Site Scripting via Custom Widget Titles and Files

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 1 public exploit for CVE-2021-47835. PoCs published by TaurusOmar.

AI-analyzed exploit summary This is a functional XSS exploit for Freeter 1.2.1, leveraging an audio tag with an onerror handler to execute arbitrary JavaScript. The payload spawns a reverse shell via netcat and executes system commands.

Description

Freeter 1.2.1 contains a persistent cross-site scripting vulnerability that allows attackers to store malicious payloads in custom widget titles and files. Attackers can craft malicious files with embedded scripts that execute when victims interact with the application, potentially enabling remote code execution.

Exploits (1)

exploitdb WORKING POC
by TaurusOmar · javascriptwebappsmultiple
https://www.exploit-db.com/exploits/49833

This is a functional XSS exploit for Freeter 1.2.1, leveraging an audio tag with an onerror handler to execute arbitrary JavaScript. The payload spawns a reverse shell via netcat and executes system commands.

Classification
Working Poc 90%
Attack Type
Xss
Complexity
Trivial
Reliability
Reliable
Target: Freeter 1.2.1
No auth needed
Prerequisites: Victim interaction (mouse movement or click)
devstral-2 · analyzed Feb 18, 2026 Full analysis →

References (4)

Core 4
Core References
Exploit, Third Party Advisory exploit
https://www.exploit-db.com/exploits/49833
Various Sources product
https://freeter.io/
Various Sources exploit
https://imgur.com/a/iBuKWm4

Scores

CVSS v3 7.2
EPSS 0.0004
EPSS Percentile 13.2%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N

CISA SSVC

Vulnrichment
Exploitation poc
Automatable no
Technical Impact partial

Details

CWE
CWE-79
Status published
Published Jan 16, 2026
Tracked Since Feb 18, 2026