Home

Description

YetiShare File Hosting Script 5.1.0 contains a server-side request forgery vulnerability that allows attackers to read local system files through the remote file upload feature. Attackers can exploit the url parameter in the url_upload_handler endpoint to access sensitive files like /etc/passwd by using file:/// protocol.

PUBLISHED Reserved 2026-01-18 | Published 2026-01-23 | Updated 2026-01-23 | Assigner VulnCheck




MEDIUM: 6.9CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:L/SI:L/SA:L
MEDIUM: 4.0CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

Problem types

Unrestricted Upload of File with Dangerous Type

Product status

v5.1.0
affected

Credits

Numan Türle finder

References

www.exploit-db.com/exploits/49534 exploit

www.exploit-db.com/exploits/49534 (ExploitDB-49534) exploit

mfscripts.com (Vendor Homepage) product

yetishare.com (Software Product Page) product

www.vulncheck.com/...t-remote-file-upload-ssrf-vulnerability (VulnCheck Advisory: YetiShare File Hosting Script 5.1.0 Remote File Upload SSRF Vulnerability) third-party-advisory

cve.org (CVE-2021-47899)

nvd.nist.gov (CVE-2021-47899)

Download JSON