CVE-2021-47841

MEDIUM

SnipCommand 0.1.0 - Stored Cross-Site Scripting via File or Title Input

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 1 public exploit for CVE-2021-47841. PoCs published by TaurusOmar.

AI-analyzed exploit summary This exploit leverages an XSS vulnerability in SnipCommand 0.1.0 to achieve RCE by embedding a malicious payload in an audio tag's onerror event. The payload executes a reverse shell via netcat and spawns a calculator as a secondary action.

Description

SnipCommand 0.1.0 contains a cross-site scripting vulnerability that allows attackers to inject malicious payloads into command snippets. Attackers can execute arbitrary code by embedding malicious JavaScript that triggers remote command execution through file or title inputs.

Exploits (1)

exploitdb WORKING POC
by TaurusOmar · javascriptwebappsmultiple
https://www.exploit-db.com/exploits/49829

This exploit leverages an XSS vulnerability in SnipCommand 0.1.0 to achieve RCE by embedding a malicious payload in an audio tag's onerror event. The payload executes a reverse shell via netcat and spawns a calculator as a secondary action.

Classification
Working Poc 90%
Attack Type
Xss
Complexity
Moderate
Reliability
Reliable
Target: SnipCommand 0.1.0
No auth needed
Prerequisites: Victim must open a malicious file or interact with a crafted snippet
devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (4)

Core 4
Core References
Exploit, Third Party Advisory exploit
https://www.exploit-db.com/exploits/49829
Various Sources exploit
https://imgur.com/a/I2reH1M

Scores

CVSS v3 6.1
EPSS 0.0003
EPSS Percentile 9.0%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

CISA SSVC

Vulnrichment
Exploitation poc
Automatable no
Technical Impact partial

Details

CWE
CWE-79
Status published
Published Jan 16, 2026
Tracked Since Feb 18, 2026