{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2021-47958", "assignerOrgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10", "state": "PUBLISHED", "assignerShortName": "VulnCheck", "dateReserved": "2026-02-01T11:24:18.720Z", "datePublished": "2026-05-15T18:36:26.824Z", "dateUpdated": "2026-05-15T22:56:00.813Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10", "shortName": "VulnCheck", "dateUpdated": "2026-05-15T18:36:26.824Z"}, "datePublic": "2021-01-25T00:00:00.000Z", "title": "CouchCMS 2.2.1 Server-Side Request Forgery via SVG upload", "descriptions": [{"lang": "en", "value": "CouchCMS 2.2.1 contains a server-side request forgery vulnerability that allows authenticated attackers to make arbitrary HTTP requests by uploading malicious SVG files. Attackers can upload SVG files containing external entity references through the browse.php endpoint to access internal services and resources."}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "Server-Side Request Forgery (SSRF)", "cweId": "CWE-918", "type": "CWE"}]}], "affected": [{"vendor": "CouchCMS", "product": "CouchCMS", "versions": [{"version": "2.2.1", "status": "affected"}]}], "cpeApplicability": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:couchcms:couchcms:2.3:*:*:*:*:*:*:*"}, {"vulnerable": true, "criteria": "cpe:2.3:a:couchcms:couchcms:2.2.1:*:*:*:*:*:*:*"}, {"vulnerable": true, "criteria": "cpe:2.3:a:couchcms:couchcms:2.2:*:*:*:*:*:*:*"}, {"vulnerable": true, "criteria": "cpe:2.3:a:couchcms:couchcms:1.3.5:*:*:*:*:*:*:*"}, {"vulnerable": true, "criteria": "cpe:2.3:a:couchcms:couchcms:1.4:*:*:*:*:*:*:*"}, {"vulnerable": true, "criteria": "cpe:2.3:a:couchcms:couchcms:1.4.5:*:*:*:*:*:*:*"}, {"vulnerable": true, "criteria": "cpe:2.3:a:couchcms:couchcms:1.4.7:*:*:*:*:*:*:*"}, {"vulnerable": true, "criteria": "cpe:2.3:a:couchcms:couchcms:2.0:*:*:*:*:*:*:*"}, {"vulnerable": true, "criteria": "cpe:2.3:a:couchcms:couchcms:2.1:*:*:*:*:*:*:*"}]}]}], "metrics": [{"cvssV4_0": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "NETWORK", "baseScore": 5.3, "baseSeverity": "MEDIUM", "exploitMaturity": "NOT_DEFINED", "privilegesRequired": "LOW", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "LOW", "subConfidentialityImpact": "LOW", "subIntegrityImpact": "LOW", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:L/SI:L/SA:L", "version": "4.0", "vulnAvailabilityImpact": "NONE", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "LOW", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "format": "CVSS"}, {"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N", "version": "3.1"}, "format": "CVSS"}], "references": [{"url": "https://www.exploit-db.com/exploits/49675", "name": "ExploitDB-49675", "tags": ["exploit"]}, {"url": "https://github.com/CouchCMS/CouchCMS", "name": "Official Product Homepage", "tags": ["product"]}, {"name": "VulnCheck Advisory: CouchCMS 2.2.1 Server-Side Request Forgery via SVG upload", "tags": ["third-party-advisory"], "url": "https://www.vulncheck.com/advisories/couchcms-server-side-request-forgery-via-svg-upload"}], "credits": [{"lang": "en", "value": "xxcdd", "type": "finder"}], "x_generator": {"engine": "vulncheck"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-05-15T22:12:37.787017Z", "id": "CVE-2021-47958", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-05-15T22:56:00.813Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2021-47958", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-05-15T22:12:37.787017Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-05-15T22:12:41.351Z"}}], "cna": {"title": "CouchCMS 2.2.1 Server-Side Request Forgery via SVG upload", "credits": [{"lang": "en", "type": "finder", "value": "xxcdd"}], "metrics": [{"format": "CVSS", "cvssV4_0": {"Safety": "NOT_DEFINED", "version": "4.0", "Recovery": "NOT_DEFINED", "baseScore": 5.3, "Automatable": "NOT_DEFINED", "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:L/SI:L/SA:L", "exploitMaturity": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED", "userInteraction": "NONE", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "LOW", "subIntegrityImpact": "LOW", "vulnIntegrityImpact": "LOW", "subAvailabilityImpact": "LOW", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "LOW", "vulnConfidentialityImpact": "NONE", "vulnerabilityResponseEffort": "NOT_DEFINED"}}, {"format": "CVSS", "cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 4.3, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "NONE"}}], "affected": [{"vendor": "CouchCMS", "product": "CouchCMS", "versions": [{"status": "affected", "version": "2.2.1"}]}], "datePublic": "2021-01-25T00:00:00.000Z", "references": [{"url": "https://www.exploit-db.com/exploits/49675", "name": "ExploitDB-49675", "tags": ["exploit"]}, {"url": "https://github.com/CouchCMS/CouchCMS", "name": "Official Product Homepage", "tags": ["product"]}, {"url": "https://www.vulncheck.com/advisories/couchcms-server-side-request-forgery-via-svg-upload", "name": "VulnCheck Advisory: CouchCMS 2.2.1 Server-Side Request Forgery via SVG upload", "tags": ["third-party-advisory"]}], "x_generator": {"engine": "vulncheck"}, "descriptions": [{"lang": "en", "value": "CouchCMS 2.2.1 contains a server-side request forgery vulnerability that allows authenticated attackers to make arbitrary HTTP requests by uploading malicious SVG files. Attackers can upload SVG files containing external entity references through the browse.php endpoint to access internal services and resources."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-918", "description": "Server-Side Request Forgery (SSRF)"}]}], "cpeApplicability": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:couchcms:couchcms:2.3:*:*:*:*:*:*:*", "vulnerable": true}, {"criteria": "cpe:2.3:a:couchcms:couchcms:2.2.1:*:*:*:*:*:*:*", "vulnerable": true}, {"criteria": "cpe:2.3:a:couchcms:couchcms:2.2:*:*:*:*:*:*:*", "vulnerable": true}, {"criteria": "cpe:2.3:a:couchcms:couchcms:1.3.5:*:*:*:*:*:*:*", "vulnerable": true}, {"criteria": "cpe:2.3:a:couchcms:couchcms:1.4:*:*:*:*:*:*:*", "vulnerable": true}, {"criteria": "cpe:2.3:a:couchcms:couchcms:1.4.5:*:*:*:*:*:*:*", "vulnerable": true}, {"criteria": "cpe:2.3:a:couchcms:couchcms:1.4.7:*:*:*:*:*:*:*", "vulnerable": true}, {"criteria": "cpe:2.3:a:couchcms:couchcms:2.0:*:*:*:*:*:*:*", "vulnerable": true}, {"criteria": "cpe:2.3:a:couchcms:couchcms:2.1:*:*:*:*:*:*:*", "vulnerable": true}], "operator": "OR"}]}], "providerMetadata": {"orgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10", "shortName": "VulnCheck", "dateUpdated": "2026-05-15T18:36:26.824Z"}}}, "cveMetadata": {"cveId": "CVE-2021-47958", "state": "PUBLISHED", "dateUpdated": "2026-05-15T22:56:00.813Z", "dateReserved": "2026-02-01T11:24:18.720Z", "assignerOrgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10", "datePublished": "2026-05-15T18:36:26.824Z", "assignerShortName": "VulnCheck"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "CouchCMS 2.2.1 contains a server-side request forgery vulnerability that allows authenticated attackers to make arbitrary HTTP requests by uploading malicious SVG files. Attackers can upload SVG files containing external entity references through the browse.php endpoint to access internal services and resources."}], "id": "CVE-2021-47958", "lastModified": "2026-05-15T19:16:54.623", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 1.4, "source": "disclosure@vulncheck.com", "type": "Primary"}], "cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "NETWORK", "availabilityRequirement": "NOT_DEFINED", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "LOW", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "LOW", "subConfidentialityImpact": "LOW", "subIntegrityImpact": "LOW", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:L/SI:L/SA:L/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "NONE", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "LOW", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "disclosure@vulncheck.com", "type": "Secondary"}]}, "published": "2026-05-15T19:16:54.623", "references": [{"source": "disclosure@vulncheck.com", "url": "https://github.com/CouchCMS/CouchCMS"}, {"source": "disclosure@vulncheck.com", "url": "https://www.exploit-db.com/exploits/49675"}, {"source": "disclosure@vulncheck.com", "url": "https://www.vulncheck.com/advisories/couchcms-server-side-request-forgery-via-svg-upload"}], "sourceIdentifier": "disclosure@vulncheck.com", "vulnStatus": "Received", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-918"}], "source": "disclosure@vulncheck.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "2.2.1"}}], "enrichment": {"confidence": 95.0, "confidence_source": "inferred", "scores": [{"score": 95.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "original": {"product": "CouchCMS", "source": "cna", "vendor": "CouchCMS"}, "product": "couchcms", "vendor": "couchcms"}], "created": "2026-05-15T20:30:06.374401+00:00", "updated": "2026-05-15T22:00:12.172944+00:00", "vendors": ["couchcms", "couchcms$PRODUCT$couchcms"]}