PatchSiren cyber security CVE debrief
CVE-2021-47925 Cmdbuild CVE debrief
CVE-2021-47925 describes multiple stored cross-site scripting vulnerabilities in CMDBuild 3.3.2. According to the supplied record, an authenticated attacker can inject arbitrary web script or HTML through crafted input in card creation and file upload endpoints, including Employee card parameters and SVG file attachments in the classes endpoint. The payloads execute when other users view the affected records or preview attachments.
- Vendor
- Cmdbuild
- Product
- Unknown
- CVSS
- MEDIUM 5.1
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-05-10
- Original CVE updated
- 2026-05-10
- Advisory published
- 2026-05-10
- Advisory updated
- 2026-05-10
Who should care
CMDBuild administrators, application owners, and security teams should care, especially where authenticated users can create or edit cards, upload attachments, or preview files. End users who view affected records or attachments may be exposed to script execution in their browser.
Technical summary
The supplied source describes a stored XSS condition in CMDBuild 3.3.2. The NVD metadata identifies CWE-79 and a network-reachable attack path requiring low privileges and user interaction. The issue appears in record creation and file upload workflows, with SVG attachments called out as one vector. Because the payload is stored, the impact extends to later viewers of the affected record or preview content.
Defensive priority
Medium. This is an authenticated stored XSS issue with browser-side impact and potential session or workflow abuse, but the supplied record does not indicate code execution or system compromise beyond web content injection.
Recommended defensive actions
- Review CMDBuild deployments for 3.3.2 exposure and confirm whether a fixed release is available on the official download page.
- Restrict who can create or edit cards and upload attachments until patched.
- Validate and sanitize card parameters and uploaded file content, with special attention to SVG handling and any fields rendered back into HTML.
- Treat record views and attachment previews as high-risk rendering paths and enforce output encoding.
- Apply browser-side defenses such as a restrictive Content Security Policy where feasible.
- Recheck stored records and attachments for suspicious HTML or script content before re-enabling broad access.
Evidence notes
The NVD record for CVE-2021-47925 lists CWE-79 and a low-privilege, user-interaction-dependent web attack pattern. The supplied description states that CMDBuild 3.3.2 has multiple stored XSS vulnerabilities affecting card creation and file upload endpoints, including Employee card parameters and SVG attachments in the classes endpoint. The timing fields indicate the CVE was published and modified on 2026-05-10 in the supplied record.
Official resources
Publicly recorded in the CVE/NVD record on 2026-05-10, with the supplied record showing the same published and modified timestamp.