CVE-2021-47958

CouchCMS 2.2.1 Server-Side Request Forgery via SVG upload

CVSS 5.3 MEDIUMEPSS 0.2%CWE-918

Vexday Risk Score

33Attention

SSVC decision (CISA)

Attend

PoC available → attend closely

CVSS 5.3EPSS 0.2%KEV nãoPoC públicaNuclei —Metasploit —Patch —

Lifecycle

15 May 2026Published on NVD

Recommendation: Plan a near-term fix — a public PoC already exists.

CouchCMS 2.2.1 contains a server-side request forgery vulnerability that allows authenticated attackers to make arbitrary HTTP requests by uploading malicious SVG files. Attackers can upload SVG files containing external entity references through the browse.php endpoint to access internal services and resources.

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:L/SI:L/SA:L

Affected products

CouchCMS · CouchCMS

public PoCs found — 1

cve_referencewww.exploit-db.com/exploits/49675unverified

⚠ Public resources, to assess the exposure of systems you control or are authorized to test. Test only with authorization.

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →

References

https://github.com/CouchCMS/CouchCMS https://www.exploit-db.com/exploits/49675 https://www.vulncheck.com/advisories/couchcms-server-side-request-forgery-via-svg-upload