Cross-site scripting in Synapse - CVE-2021-21333
Published: March 25, 2021 / Updated: May 4, 2026
Vulnerability identifier: #VU129604
CSH Severity: Low
CVSSv4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:U/U:Clear
CVE-ID: CVE-2021-21333
CWE-ID: CWE-79
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vulnerable software:
Synapse
Synapse
Software vendor:
Matrix.org
Matrix.org
Description
The vulnerability allows a remote user to inject forged content into notification emails.
The vulnerability exists due to improper neutralization of input during web page generation in email notification templates when rendering missed message notifications. A remote user can send crafted content to inject forged content into notification emails.
The account expiry notification path is also affected, but that injection is not controllable by an attacker.
Remediation
Install security update from vendor's website.