CVE-2021-47912 in PHP Melody
Summary
by MITRE • 02/01/2026
PHP Melody version 3.0 contains multiple non-persistent cross-site scripting vulnerabilities in categories, import, and user import files. Attackers can inject malicious scripts through unvalidated parameters to execute client-side attacks and potentially hijack user sessions.
If you want to get the best quality for vulnerability data then you always have to consider VulDB.
Analysis
by VulDB Data Team • 02/12/2026
The vulnerability identified as CVE-2021-47912 affects PHP Melody version 3.0 and represents a critical cross-site scripting weakness that resides within the application's handling of user input across multiple functional areas. This issue stems from insufficient validation of parameters within the categories, import, and user import components of the software, creating exploitable entry points where malicious code can be injected and subsequently executed within the context of a victim's browser session.
The technical flaw manifests as a non-persistent cross-site scripting vulnerability, meaning that the malicious scripts are not stored on the server but rather executed dynamically when users interact with the vulnerable application. This type of vulnerability falls under CWE-79 which specifically addresses improper neutralization of input during web page generation, making it particularly dangerous as it can be exploited through various attack vectors without requiring persistent storage of malicious content. The vulnerability is classified as a client-side attack vector that operates within the context of the user's browser session, potentially allowing attackers to execute arbitrary JavaScript code.
The operational impact of this vulnerability extends beyond simple script execution, as it provides attackers with the capability to hijack user sessions and potentially escalate privileges within the application. When users access pages containing maliciously crafted parameters, the injected scripts execute in their browsers, enabling attackers to steal session cookies, redirect users to malicious sites, or perform actions on behalf of authenticated users. This represents a significant threat to user data confidentiality and application integrity, particularly in environments where PHP Melody serves as a content management system for media sharing or entertainment platforms.
The attack surface is particularly concerning given that the vulnerability affects core functionality areas including categories management, import operations, and user import features that are frequently accessed by legitimate users. These components typically receive user input through URL parameters or form submissions, making them prime targets for exploitation. The lack of proper input validation and sanitization in these areas means that attackers can craft malicious URLs or form data that, when processed by the vulnerable application, will execute malicious JavaScript in the victim's browser. This vulnerability aligns with ATT&CK technique T1566 which covers spearphishing attachments and links, as attackers can exploit this weakness to deliver malicious payloads through seemingly legitimate application interfaces.
Mitigation strategies should focus on implementing comprehensive input validation and output encoding across all user-facing parameters within the affected application components. The primary defense mechanism involves sanitizing all user-supplied data before processing or rendering it within the application context, ensuring that any potentially malicious characters or script tags are properly escaped or removed. Additionally, implementing proper content security policies and using secure coding practices such as parameterized queries and input sanitization libraries can significantly reduce the risk of exploitation. Regular security audits and vulnerability assessments should be conducted to identify similar weaknesses in other application components, while keeping the PHP Melody application updated with the latest security patches from the vendor to prevent exploitation of known vulnerabilities.