PatchSiren cyber security CVE debrief
CVE-2021-47958 CouchCMS CVE debrief
CVE-2021-47958 describes a server-side request forgery (SSRF) issue in CouchCMS 2.2.1. According to the supplied record, an authenticated attacker can upload a malicious SVG through the browse.php endpoint and use external entity references to make arbitrary HTTP requests from the server. That can expose internal services or other resources reachable only from the application host.
- Vendor
- CouchCMS
- Product
- Unknown
- CVSS
- MEDIUM 5.3
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-05-15
- Original CVE updated
- 2026-05-18
- Advisory published
- 2026-05-15
- Advisory updated
- 2026-05-18
Who should care
Administrators and developers running CouchCMS 2.2.1, especially deployments that allow authenticated file uploads through browse.php. Security teams should also review any internal-only services that the CMS host can reach, because SSRF can be used to probe or access them.
Technical summary
The supplied description and NVD metadata indicate an authenticated SSRF condition tied to SVG upload handling. The weakness is mapped to CWE-918. The issue is network-reachable, requires low privileges, and does not require user interaction. The record’s CVSS v4 vector also indicates low confidentiality and integrity impact rather than full compromise, which is consistent with SSRF-style abuse for internal request routing and service access.
Defensive priority
Medium. This is not marked as a KEV item in the supplied data, but it is still important to address because SSRF can be used to reach internal-only targets and support follow-on attacks.
Recommended defensive actions
- Confirm whether CouchCMS 2.2.1 is in use and whether browse.php accepts authenticated SVG uploads.
- Restrict or disable SVG upload handling if it is not required.
- Review server-side validation for uploaded SVG content and entity processing to prevent external request behavior.
- Apply any vendor fix or upgrade guidance if available from the CouchCMS project or advisory referenced in the record.
- Limit the CMS host’s ability to reach internal services where feasible, so SSRF has less impact.
- Monitor for unusual outbound HTTP requests originating from the CMS server and for uploads of unexpected SVG files.
Evidence notes
This debrief is based only on the supplied CVE record and its metadata. The record identifies the issue as an authenticated SSRF in CouchCMS 2.2.1 via SVG uploads through browse.php, mapped to CWE-918. The supplied NVD metadata shows vulnStatus as Deferred and includes references to the CouchCMS GitHub repository, an Exploit-DB entry, and a VulnCheck advisory, but the contents of those references were not used beyond their presence in the record. Timing context uses the supplied CVE publishedAt 2026-05-15T19:16:54.623Z and modifiedAt 2026-05-18T17:26:40.167Z.
Official resources
Publicly recorded in the supplied CVE data with a publication timestamp of 2026-05-15T19:16:54.623Z and a later modification on 2026-05-18T17:26:40.167Z. The supplied record attributes the issue to CouchCMS 2.2.1 and identifies it as an SSR