Cyber Resilience

CVE-2021-47837

MediumPublic PoC

Published: 16 January 2026

Published
16 January 2026
Modified
15 April 2026
KEV Added
Patch
CVSS Score v4 5.1 CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0004 13.1th percentile
Risk Priority 10 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2021-47837 is a medium-severity Cross-site Scripting (CWE-79) vulnerability in Imgur (inferred from references). Its CVSS base score is 5.1 (Medium).

Operationally, exploitation aligns with the MITRE ATT&CK technique Malicious File (T1204.002); ranked at the 13.1th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-3 (Malicious Code Protection).

Deeper analysis

CVE-2021-47837 is a persistent cross-site scripting vulnerability (CWE-79) in Markdownify 1.2.0, an Electron-based Markdown editor. The flaw allows attackers to store malicious payloads within markdown files, where embedded scripts can execute upon file opening, potentially enabling remote code execution. It carries a CVSS v3.1 base score of 7.2 (AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N).

Attackers can exploit this by uploading crafted markdown files containing malicious scripts, requiring no privileges (PR:N). Victims who open the files in the affected Markdownify 1.2.0 application trigger script execution, achieving low-level confidentiality and integrity impacts with a changed scope (S:C), potentially leading to remote code execution as described.

Advisories from Vulncheck (https://www.vulncheck.com/advisories/markdownify-persistent-cross-site-scripting) document the persistent XSS issue. A proof-of-concept exploit is published on Exploit-DB (https://www.exploit-db.com/exploits/49835). The GitHub repository (https://github.com/amitmerchant1990/electron-markdownify) serves as the primary source for the software, where security practitioners should verify patches or updates.

A proof-of-concept image is available at https://imgur.com/a/T4jBoiS, highlighting the exploit's demonstration. The CVE was published on 2026-01-16.

EU & UK References

Vulnerability details

Markdownify 1.2.0 contains a persistent cross-site scripting vulnerability that allows attackers to store malicious payloads within markdown files. Attackers can upload crafted markdown files with embedded scripts that execute when the file is opened, potentially enabling remote code execution.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1204.002 Malicious File Execution
An adversary may rely upon a user opening a malicious file in order to gain execution.
T1059.007 JavaScript Execution
Adversaries may abuse various implementations of JavaScript for execution.
Why these techniques?

Persistent XSS in Electron Markdown editor enables malicious file delivery (T1204.002) and JavaScript execution leading to RCE (T1059.007).

Confidence: MEDIUM · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2021-47838Shared CWE-79
CVE-2025-1015Shared CWE-79
CVE-2021-47840Shared CWE-79
CVE-2026-33932Shared CWE-79
CVE-2025-69368Shared CWE-79
CVE-2025-0829Shared CWE-79
CVE-2026-3880Shared CWE-79
CVE-2026-34557Shared CWE-79
CVE-2025-22326Shared CWE-79
CVE-2026-33299Shared CWE-79

Affected Assets

Imgur
inferred from references and description; NVD did not file a CPE for this CVE

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly requires validation and sanitization of untrusted markdown input to block embedded scripts before they are stored or rendered.

preventdetect

Mandates malicious-code detection mechanisms that can inspect uploaded markdown files for XSS payloads prior to opening.

preventdetect

Requires integrity checks on information (markdown files) to detect unauthorized script insertion before execution occurs.

References