Cross-site scripting in Wiki.js - CVE-2021-43842
Published: December 19, 2021 / Updated: April 28, 2026
Vulnerability identifier: #VU128259
CSH Severity: Low
CVSSv4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:U/U:Clear
CVE-ID: CVE-2021-43842
CWE-ID: CWE-79
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vulnerable software:
Wiki.js
Wiki.js
Software vendor:
Requarks.io
Requarks.io
Description
The vulnerability allows a remote user to execute arbitrary JavaScript in the victim's browser.
The vulnerability exists due to cross-site scripting in SVG file upload handling when processing a crafted SVG file upload. A remote user can upload a specially crafted SVG file to execute arbitrary JavaScript in the victim's browser.
Scripts execute when the uploaded SVG is viewed directly by other users, but not when it is loaded inside a page via normal img tags.
Remediation
Install security update from vendor's website.