CVE-2021-47842

HIGH

StudyMD 0.3.2 - Stored Cross-Site Scripting via Markdown File Upload

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 1 public exploit for CVE-2021-47842. PoCs published by TaurusOmar.

AI-analyzed exploit summary This exploit demonstrates a persistent XSS vulnerability in StudyMD 0.3.2, where malicious JavaScript payloads can be embedded in markdown files. The payload executes arbitrary commands (e.g., reverse shell) when the file is opened.

Description

StudyMD 0.3.2 contains a persistent cross-site scripting vulnerability that allows attackers to inject malicious scripts into markdown files. Attackers can upload crafted markdown files with embedded JavaScript payloads that execute when the file is opened, potentially enabling remote code execution.

Exploits (1)

exploitdb WORKING POC
by TaurusOmar · javascriptwebappsmultiple
https://www.exploit-db.com/exploits/49832

This exploit demonstrates a persistent XSS vulnerability in StudyMD 0.3.2, where malicious JavaScript payloads can be embedded in markdown files. The payload executes arbitrary commands (e.g., reverse shell) when the file is opened.

Classification
Working Poc 90%
Attack Type
Xss
Complexity
Trivial
Reliability
Reliable
Target: StudyMD 0.3.2
No auth needed
Prerequisites: Victim must open a malicious markdown file in StudyMD
devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (4)

Core 4
Core References
Exploit, Third Party Advisory exploit
https://www.exploit-db.com/exploits/49832
Various Sources product
https://github.com/jotron/StudyMD
Various Sources exploit
https://imgur.com/a/lDHKEIp

Scores

CVSS v3 7.2
EPSS 0.0004
EPSS Percentile 13.2%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N

CISA SSVC

Vulnrichment
Exploitation poc
Automatable no
Technical Impact partial

Details

CWE
CWE-79
Status published
Published Jan 16, 2026
Tracked Since Feb 18, 2026