CVE-2021-42560

HIGH

MITRE Caldera 2.9.0 - XML External Entity Injection via Debrief Plugin SVG Parameter

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 1 public exploit for CVE-2021-42560. PoCs published by mbadanoiu.

AI-analyzed exploit summary This repository describes an XXE vulnerability in MITRE Caldera's Debrief plugin (versions <=2.9.0) due to unsafe XML parsing of base64-encoded SVG parameters. The vulnerability allows for file exfiltration, SSRF, and out-of-band data exfiltration.

Description

An issue was discovered in CALDERA 2.9.0. The Debrief plugin receives base64 encoded "SVG" parameters when generating a PDF document. These SVG documents are parsed in an unsafe manner and can be leveraged for XXE attacks (e.g., File Exfiltration, Server Side Request Forgery, Out of Band Exfiltration, etc.).

Exploits (1)

nomisec WRITEUP
by mbadanoiu · poc
https://github.com/mbadanoiu/CVE-2021-42560

This repository describes an XXE vulnerability in MITRE Caldera's Debrief plugin (versions <=2.9.0) due to unsafe XML parsing of base64-encoded SVG parameters. The vulnerability allows for file exfiltration, SSRF, and out-of-band data exfiltration.

Classification
Writeup 90%
Attack Type
Other
Complexity
Moderate
Reliability
Theoretical
Target: MITRE Caldera <=2.9.0
Auth required
Prerequisites: Valid user credentials · Access to the Debrief plugin
devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (2)

Core 2
Core References
Release Notes, Third Party Advisory x_refsource_misc
https://github.com/mitre/caldera/releases

Scores

CVSS v3 8.8
EPSS 0.0215
EPSS Percentile 79.7%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Details

CWE
CWE-611
Status published
Products (1)
mitre/caldera 2.9.0
Published Jan 12, 2022
Tracked Since Feb 18, 2026