Main Vulnerability Database SB2021121906

SB2021121906 - Cross-site scripting in Wiki.js

Published: December 19, 2021 Updated: April 28, 2026

Security Bulletin ID SB2021121906

CSH Severity

Low

Patch available

YES

Number of vulnerabilities 1

Exploitation vector Remote access

Highest impact Data manipulation

Breakdown by Severity

Low
Medium
High
Critical

Description

This security bulletin contains information about 1 vulnerability.

1) Cross-site scripting (CVE-ID: CVE-2021-43842)

The vulnerability allows a remote user to execute arbitrary JavaScript in the victim's browser.

The vulnerability exists due to cross-site scripting in SVG file upload handling when processing a crafted SVG file upload. A remote user can upload a specially crafted SVG file to execute arbitrary JavaScript in the victim's browser.

Scripts execute when the uploaded SVG is viewed directly by other users, but not when it is loaded inside a page via normal img tags.

Remediation

Install update from vendor's website.

References

https://github.com/requarks/wiki/security/advisories/GHSA-3qv4-gp35-rgh7
https://github.com/advisories/GHSA-3qv4-gp35-rgh7