CVE-2021-47955

MEDIUM

CouchCMS 2.2.1 Cross-Site Scripting via SVG File Upload

Title source: cna
STIX 2.1

Exploitation Summary

EIP tracks 1 public exploit for CVE-2021-47955. PoCs published by xxcdd.

AI-analyzed exploit summary This exploit demonstrates an XSS vulnerability in CouchCMS 2.2.1 via SVG file upload. The SVG file contains malicious JavaScript that executes when rendered, allowing cookie theft.

Description

CouchCMS 2.2.1 contains a cross-site scripting vulnerability that allows authenticated attackers to execute arbitrary JavaScript by uploading malicious SVG files through the file upload functionality. Attackers can upload SVG files containing embedded script tags to the browse.php endpoint, which are then executed in users' browsers when the files are accessed or previewed.

Exploits (1)

exploitdb WORKING POC
by xxcdd · textwebappsphp
https://www.exploit-db.com/exploits/49636

This exploit demonstrates an XSS vulnerability in CouchCMS 2.2.1 via SVG file upload. The SVG file contains malicious JavaScript that executes when rendered, allowing cookie theft.

Classification
Working Poc 95%
Attack Type
Xss
Complexity
Trivial
Reliability
Reliable
Target: CouchCMS v2.2.1
Auth required
Prerequisites: valid nonce value · access to the file upload endpoint
devstral-2 · analyzed May 16, 2026 Full analysis →

References (3)

Core 3
Core References
Exploit exploit
ExploitDB-49636
https://www.exploit-db.com/exploits/49636
Product product
Official Product Homepage
https://github.com/CouchCMS/CouchCMS
Third Party Advisory third-party-advisory
VulnCheck Advisory: CouchCMS 2.2.1 Cross-Site Scripting via SVG File Upload
https://www.vulncheck.com/advisories/couchcms-cross-site-scripting-via-svg-file-upload

Scores

CVSS v3 5.4
EPSS 0.0017
EPSS Percentile 6.8%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

CISA SSVC

Vulnrichment
Exploitation poc
Automatable no
Technical Impact partial

Details

CWE
CWE-79
Status published
Products (1)
CouchCMS/CouchCMS 2.2.1
Published May 16, 2026
Tracked Since May 16, 2026