Cross-site scripting in Wiki.js - CVE-2021-21383
Published: March 13, 2021 / Updated: April 28, 2026
Vulnerability identifier: #VU128261
CSH Severity: Low
CVSSv4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:U/U:Clear
CVE-ID: CVE-2021-21383
CWE-ID: CWE-79
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vulnerable software:
Wiki.js
Wiki.js
Software vendor:
Requarks.io
Requarks.io
Description
The vulnerability allows a remote user to execute arbitrary JavaScript in the browser of another user.
The vulnerability exists due to cross-site scripting in code blocks when rendering wiki page content containing mustache expressions. A remote user can create a crafted wiki page to execute arbitrary JavaScript in the browser of another user.
User interaction is required because the crafted page must be viewed by another user.
Remediation
Install security update from vendor's website.