CVE-2021-47963

HIGH

Anote 1.0 Persistent Cross-Site Scripting Remote Code Execution

Title source: cna

Exploitation Summary

EIP tracks 1 public exploit for CVE-2021-47963. PoCs published by TaurusOmar.

AI-analyzed exploit summary This exploit demonstrates a persistent XSS vulnerability in Anote 1.0, where malicious JavaScript payloads can be embedded in markdown files. The payload executes arbitrary commands (e.g., reverse shell) when the file is opened, leveraging the application's markdown rendering to achieve RCE.

Description

Anote 1.0 contains a persistent cross-site scripting vulnerability that allows attackers to execute arbitrary code by injecting malicious payloads into markdown files stored within the application. Attackers can craft malicious markdown files with embedded JavaScript that executes system commands when opened, enabling remote code execution on the victim's computer.

Exploits (1)

exploitdb WORKING POC

by TaurusOmar · javascriptwebappsmultiple

https://www.exploit-db.com/exploits/49836

View Code ZIP pw:eip

This exploit demonstrates a persistent XSS vulnerability in Anote 1.0, where malicious JavaScript payloads can be embedded in markdown files. The payload executes arbitrary commands (e.g., reverse shell) when the file is opened, leveraging the application's markdown rendering to achieve RCE.

Classification

Working Poc 95%

Attack Type

Xss

Complexity

Moderate

Reliability

Reliable

Target: Anote 1.0

No auth needed

Prerequisites: Victim must open a malicious markdown file in Anote

MITRE ATT&CK

T1059.007 - JavaScript T1189 - Drive-by Compromise

devstral-2 · analyzed May 16, 2026 Full analysis →

References (3)

Core 3

Core References

Exploit exploit

ExploitDB-49836

https://www.exploit-db.com/exploits/49836

Product product

Official Product Homepage

https://github.com/AnotherNote/anote

Third Party Advisory third-party-advisory

VulnCheck Advisory: Anote 1.0 Persistent Cross-Site Scripting Remote Code Execution

https://www.vulncheck.com/advisories/anote-persistent-cross-site-scripting-remote-code-execution

Scores

CVSS v3 7.2

EPSS 0.0003

EPSS Percentile 8.1%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N

CISA SSVC

Vulnrichment

Exploitation poc

Automatable yes

Technical Impact partial

Details

CWE

CWE-79

Status published

Products (1)

AnotherNote/Anote 1.0

Published May 15, 2026

Tracked Since May 16, 2026