Home

Description

CouchCMS 2.2.1 contains a server-side request forgery vulnerability that allows authenticated attackers to make arbitrary HTTP requests by uploading malicious SVG files. Attackers can upload SVG files containing external entity references through the browse.php endpoint to access internal services and resources.

PUBLISHED Reserved 2026-02-01 | Published 2026-05-15 | Updated 2026-05-15 | Assigner VulnCheck




MEDIUM: 5.3CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:L/SI:L/SA:L
MEDIUM: 4.3CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N

Problem types

Server-Side Request Forgery (SSRF)

Product status

2.2.1
affected

Credits

xxcdd finder

References

www.exploit-db.com/exploits/49675 (ExploitDB-49675) exploit

github.com/CouchCMS/CouchCMS (Official Product Homepage) product

www.vulncheck.com/...ver-side-request-forgery-via-svg-upload (VulnCheck Advisory: CouchCMS 2.2.1 Server-Side Request Forgery via SVG upload) third-party-advisory

cve.org (CVE-2021-47958)

nvd.nist.gov (CVE-2021-47958)

Download JSON