VulnerableCode Vulnerability Details

Staging Environment: Content and features may be unstable or change without notice.

Search for vulnerabilities

Vulnerability details: VCID-55g4-28a9-u7dc

Essentials
Severities (19)
References (12)
Severity details (18)
Exploits (0)
EPSS
History (1)

Vulnerability ID	VCID-55g4-28a9-u7dc
Aliases	CVE-2021-39170 GHSA-2v88-qq7x-xq5f
Summary	Cross-site Scripting Pimcore is an open source data & experience management platform. An authenticated user could add XSS code as a value of custom metadata on assets. There is a patch for this issue in Pimcore As a workaround, users may apply the patch manually.
Status	Published
Exploitability	0.5
Weighted Severity	8.0
Risk	4.0
Affected and Fixed Packages	Package Details

Weaknesses (4)

CWE-1035	OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities
CWE-937	OWASP Top Ten 2013 Category A9 - Using Components with Known Vulnerabilities
CWE-116	Improper Encoding or Escaping of Output
CWE-79	Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

System	Score	Found at
epss	0.00027	https://api.first.org/data/v1/epss?cve=CVE-2021-39170
cvssv3.1_qr	HIGH	https://github.com/advisories/GHSA-2v88-qq7x-xq5f
cvssv3.1	8.0	https://github.com/pimcore/pimcore
generic_textual	HIGH	https://github.com/pimcore/pimcore
cvssv3.1	8.0	https://github.com/pimcore/pimcore/pull/10178
generic_textual	HIGH	https://github.com/pimcore/pimcore/pull/10178
cvssv3.1	8.0	https://github.com/pimcore/pimcore/pull/10178.patch
generic_textual	HIGH	https://github.com/pimcore/pimcore/pull/10178.patch
cvssv3.1	8.0	https://github.com/pimcore/pimcore/pull/10206
generic_textual	HIGH	https://github.com/pimcore/pimcore/pull/10206
cvssv3.1	8.0	https://github.com/pimcore/pimcore/security/advisories/GHSA-2v88-qq7x-xq5f
cvssv3.1_qr	HIGH	https://github.com/pimcore/pimcore/security/advisories/GHSA-2v88-qq7x-xq5f
generic_textual	HIGH	https://github.com/pimcore/pimcore/security/advisories/GHSA-2v88-qq7x-xq5f
cvssv3.1	8.0	https://huntr.dev/bounties/c3e4cf79-a4b5-4982-af27-729f66281501
generic_textual	HIGH	https://huntr.dev/bounties/c3e4cf79-a4b5-4982-af27-729f66281501
cvssv3.1	8.0	https://huntr.dev/bounties/e4cb9cd8-89cf-427c-8d2e-37ca40099bf2
generic_textual	HIGH	https://huntr.dev/bounties/e4cb9cd8-89cf-427c-8d2e-37ca40099bf2
cvssv3.1	8.0	https://nvd.nist.gov/vuln/detail/CVE-2021-39170
generic_textual	HIGH	https://nvd.nist.gov/vuln/detail/CVE-2021-39170

Reference id	Reference type	URL
		https://api.first.org/data/v1/epss?cve=CVE-2021-39170
		https://github.com/pimcore/pimcore
		https://github.com/pimcore/pimcore/pull/10178
		https://github.com/pimcore/pimcore/pull/10178.patch
		https://github.com/pimcore/pimcore/pull/10206
		https://github.com/pimcore/pimcore/security/advisories/GHSA-2v88-qq7x-xq5f
		https://huntr.dev/bounties/c3e4cf79-a4b5-4982-af27-729f66281501
		https://huntr.dev/bounties/c3e4cf79-a4b5-4982-af27-729f66281501/
		https://huntr.dev/bounties/e4cb9cd8-89cf-427c-8d2e-37ca40099bf2
		https://huntr.dev/bounties/e4cb9cd8-89cf-427c-8d2e-37ca40099bf2/
CVE-2021-39170		https://nvd.nist.gov/vuln/detail/CVE-2021-39170
GHSA-2v88-qq7x-xq5f		https://github.com/advisories/GHSA-2v88-qq7x-xq5f

No exploits are available.

Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H Found at https://github.com/pimcore/pimcore

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H Found at https://github.com/pimcore/pimcore/pull/10178

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H Found at https://github.com/pimcore/pimcore/pull/10178.patch

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H Found at https://github.com/pimcore/pimcore/pull/10206

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H Found at https://github.com/pimcore/pimcore/security/advisories/GHSA-2v88-qq7x-xq5f

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H Found at https://huntr.dev/bounties/c3e4cf79-a4b5-4982-af27-729f66281501

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H Found at https://huntr.dev/bounties/e4cb9cd8-89cf-427c-8d2e-37ca40099bf2

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H Found at https://nvd.nist.gov/vuln/detail/CVE-2021-39170

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Exploit Prediction Scoring System (EPSS)

Percentile	0.08087
EPSS Score	0.00027
Published At	May 30, 2026, 12:55 p.m.

Date	Actor	Action	Source	VulnerableCode Version
2026-05-30T20:55:47.818702+00:00	GitLab Importer	Import	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/pimcore/pimcore/CVE-2021-39170.yml	38.6.0