{"id":"CVE-2021-27902","details":"An issue was discovered in Craft CMS before 3.6.0. In some circumstances, a potential XSS vulnerability existed in connection with front-end forms that accepted user uploads.","aliases":["GHSA-3jxh-789f-p7m6"],"modified":"2026-04-10T04:30:45.203639Z","published":"2021-06-30T12:15:07.610Z","references":[{"type":"ADVISORY","url":"https://github.com/craftcms/cms/blob/develop/CHANGELOG.md#360---2021-01-26"},{"type":"ADVISORY","url":"https://github.com/craftcms/cms/blob/develop/CHANGELOG.md#security-1"},{"type":"FIX","url":"https://github.com/craftcms/cms/commit/8ee85a8f03c143fa2420e7d6f311d95cae3b19ce"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/craftcms/cms","events":[{"introduced":"0"},{"fixed":"243c576a4317fa075e6876b4af0ff2ed98de2867"},{"fixed":"8ee85a8f03c143fa2420e7d6f311d95cae3b19ce"}],"database_specific":{"versions":[{"introduced":"0"},{"fixed":"3.6.0"}]}}],"versions":["0.9.2063","0.9.2064","0.9.2065","0.9.2068","0.9.2071","0.9.2078","0.9.2079","0.9.2080","0.9.2081","0.9.2083","0.9.2090","0.9.2094","0.9.2100","0.9.2101","0.9.2102","0.9.2103","0.9.2106","0.9.2116","0.9.2117","0.9.2123","0.9.2124","0.9.2146","0.9.2151","0.9.2157","0.9.2167","0.9.2168","0.9.2177","0.9.2181","0.9.2184","0.9.2189","0.9.2193","0.9.2243","0.9.2246","1.0.0-alpha.2236","1.0.0-alpha.2237","1.0.0-alpha.2238","1.0.0-alpha.2241","1.0.0-alpha.2242","1.0.0-alpha.2244","1.0.0-alpha.2245","1.0.0-alpha.2247","1.0.0-alpha.2248","1.0.0-alpha.2249","1.0.2266","1.1.0-alpha.2283","1.1.0-alpha.2284","1.1.0-alpha.2285","1.1.0-alpha.2288","1.1.2291","1.2.0-alpha.2310","1.2.0-alpha.2312","1.2.0-alpha.2318","1.2.0-alpha.2319","1.2.0-alpha.2322","1.2.0-alpha.2328","1.2.0-alpha.2329","1.2.2333","1.2.2335","1.2.2336","1.2.2339","1.4.0-alpha.2488","1.4.0-alpha.2489","1.4.0-alpha.2490","1.4.0-alpha.2491","1.4.0-alpha.2492","1.4.0-alpha.2493","1.4.0-alpha.2497","1.4.0-alpha.2498","1.4.0-alpha.2499","1.4.0-alpha.2500","1.4.0-alpha.2502","1.4.0-alpha.2503","1.4.0-alpha.2505","1.4.0-alpha.2509","2.0.2524","2.0.2525","2.0.2527","2.0.2532","2.0.2533","2.0.2535","2.0.2536","2.0.2537","2.0.2538","2.0.2539","2.1.0-alpha.2546","2.1.0-alpha.2547","2.1.0-alpha.2552","2.1.2554","2.1.2555","2.1.2556","2.1.2557","2.2.0-alpha.2578","2.2.2579","2.2.2581","2.3.0-alpha.2600","2.3.0-alpha.2602","2.3.0-alpha.2603","2.3.0-alpha.2605","2.3.0-alpha.2606","2.3.0-alpha.2608","2.3.0-alpha.2610","2.3.0-alpha.2612","2.3.2615","2.3.2616","2.3.2617","3.0.0-RC10.1","3.0.0-alpha.2671","3.0.0-alpha.2681","3.0.0-alpha.2687","3.0.0-alpha.2915","3.0.0-alpha.2918","3.0.0-alpha.2928","3.0.0-alpha.2933","3.0.0-alpha.2937","3.0.0-alpha.2939","3.0.0-alpha.2942","3.0.0-alpha.2948","3.0.26","3.0.26.1","3.0.27","3.0.27.1","3.0.28","3.0.29","3.0.30","3.0.30.1","3.0.30.2","3.0.31","3.0.32","3.0.33","3.0.34","3.0.35","3.0.36","3.0.37","3.1.1","3.1.10","3.1.11","3.1.12","3.1.13","3.1.14","3.1.15","3.1.16","3.1.17","3.1.17.1","3.1.17.2","3.1.18","3.1.19","3.1.2","3.1.2.1","3.1.2.2","3.1.20","3.1.20.1","3.1.21","3.1.21.1","3.1.22","3.1.23","3.1.24","3.1.25","3.1.26","3.1.27","3.1.28","3.1.29","3.1.3","3.1.30","3.1.31","3.1.32","3.1.32.1","3.1.33","3.1.34","3.1.4","3.1.5","3.1.6","3.1.6.1","3.1.7","3.1.8","3.1.9","3.1.9.1","3.2.0","3.2.1","3.2.10","3.2.2","3.2.3","3.2.4","3.2.4.1","3.2.5","3.2.5.1","3.2.6","3.2.7","3.2.8","3.2.9","3.3.0","3.3.0.1","3.3.1","3.3.1.1","3.3.1.2","3.3.10","3.3.11","3.3.12","3.3.13","3.3.14","3.3.15","3.3.16","3.3.16.1","3.3.16.2","3.3.16.3","3.3.17","3.3.18","3.3.18.1","3.3.18.2","3.3.18.3","3.3.18.4","3.3.19","3.3.2","3.3.20","3.3.20.1","3.3.3","3.3.4","3.3.4.1","3.3.5","3.3.6","3.3.7","3.3.8","3.3.9","3.4.0","3.4.0.1","3.4.0.2","3.4.1","3.4.10","3.4.10.1","3.4.11","3.4.12","3.4.13","3.4.14","3.4.15","3.4.16","3.4.17","3.4.17.1","3.4.18","3.4.19","3.4.19.1","3.4.2","3.4.20","3.4.21","3.4.22","3.4.22.1","3.4.23","3.4.24","3.4.25","3.4.26","3.4.27","3.4.28","3.4.28.1","3.4.29","3.4.29.1","3.4.3","3.4.30","3.4.4","3.4.4.1","3.4.5","3.4.6","3.4.6.1","3.4.7","3.4.7.1","3.4.8","3.4.9","3.5.0","3.5.1","3.5.10","3.5.10.1","3.5.11","3.5.11.1","3.5.12","3.5.12.1","3.5.13","3.5.13.1","3.5.13.2","3.5.14","3.5.15","3.5.15.1","3.5.16","3.5.17","3.5.17.1","3.5.18","3.5.19","3.5.2","3.5.3","3.5.4","3.5.5","3.5.6","3.5.7","3.5.8","3.5.9","3.6.0-RC1","3.6.0-RC2","3.6.0-RC2.1","3.6.0-RC3","3.6.0-RC4","3.6.0-beta.1","3.6.0-beta.1.1","3.6.0-beta.2"],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2021-27902.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"}]}