Cross-site scripting in Wiki.js - CVE-2021-43855
Published: December 26, 2021 / Updated: April 28, 2026
Vulnerability identifier: #VU128258
CSH Severity: Low
CVSSv4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:U/U:Clear
CVE-ID: CVE-2021-43855
CWE-ID: CWE-79
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vulnerable software:
Wiki.js
Wiki.js
Software vendor:
Requarks.io
Requarks.io
Description
The vulnerability allows a remote user to execute arbitrary JavaScript in the browser of another user.
The vulnerability exists due to cross-site scripting in the file upload handling for SVG files when processing a crafted SVG upload sent with a fake MIME type. A remote user can upload a crafted SVG file using a custom request to execute arbitrary JavaScript in the browser of another user.
Scripts execute when the uploaded SVG is viewed directly by other users, but not when it is loaded inside a page via normal tags.
Remediation
Install security update from vendor's website.