CVE-2021-47843

MEDIUM

Tagstoo 2.0.1 - Stored Cross-Site Scripting via File or Custom Tag Injection

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 1 public exploit for CVE-2021-47843. PoCs published by TaurusOmar.

AI-analyzed exploit summary This exploit demonstrates a stored XSS vulnerability in Tagstoo 2.0.1 that can be leveraged to achieve remote code execution (RCE) via Node.js process binding or child_process execution. The payloads are encoded to bypass basic input validation and execute arbitrary commands.

Description

Tagstoo 2.0.1 contains a stored cross-site scripting vulnerability that allows attackers to inject malicious payloads through files or custom tags. Attackers can execute arbitrary JavaScript code to spawn system processes, access files, and perform remote code execution on the victim's computer.

Exploits (1)

exploitdb WORKING POC
by TaurusOmar · javascriptwebappsmultiple
https://www.exploit-db.com/exploits/49828

This exploit demonstrates a stored XSS vulnerability in Tagstoo 2.0.1 that can be leveraged to achieve remote code execution (RCE) via Node.js process binding or child_process execution. The payloads are encoded to bypass basic input validation and execute arbitrary commands.

Classification
Working Poc 95%
Attack Type
Xss | Rce
Complexity
Moderate
Reliability
Reliable
Target: Tagstoo v2.0.1
No auth needed
Prerequisites: Victim must open a malicious file or tag in Tagstoo
devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (3)

Core 3
Core References
Exploit, Third Party Advisory exploit
https://www.exploit-db.com/exploits/49828
Exploit product
https://imgur.com/a/smeAjaW

Scores

CVSS v3 5.4
EPSS 0.0003
EPSS Percentile 8.4%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

CISA SSVC

Vulnrichment
Exploitation poc
Automatable no
Technical Impact partial

Details

CWE
CWE-79
Status published
Products (1)
pabloandumundu/tagstoo 2.0.1
Published Jan 15, 2026
Tracked Since Feb 18, 2026