CVE-2023-53899

CRITICAL

PodcastGenerator 3.2.9 - Server-Side Request Forgery via Episode Upload Shortdesc Parameter

Title source: llm

Exploitation Summary

EIP tracks 1 public exploit for CVE-2023-53899. PoCs published by Mirabbas Ağalarov.

AI-analyzed exploit summary This exploit demonstrates a blind SSRF vulnerability in PodcastGenerator 3.2.9 via XML injection in the 'shortdesc' field during episode upload. The attacker injects a malicious XML payload to trigger an outbound HTTP request to an attacker-controlled server.

Description

PodcastGenerator 3.2.9 contains a blind server-side request forgery vulnerability that allows attackers to inject XML in the episode upload form. Attackers can manipulate the 'shortdesc' parameter to trigger external HTTP requests to arbitrary endpoints during podcast episode creation.

Exploits (1)

exploitdb WORKING POC

by Mirabbas Ağalarov · textwebappsphp

https://www.exploit-db.com/exploits/51565

View Code ZIP pw:eip

This exploit demonstrates a blind SSRF vulnerability in PodcastGenerator 3.2.9 via XML injection in the 'shortdesc' field during episode upload. The attacker injects a malicious XML payload to trigger an outbound HTTP request to an attacker-controlled server.

Classification

Working Poc 90%

Attack Type

Ssrf

Complexity

Trivial

Reliability

Reliable

Target: PodcastGenerator v3.2.9

Auth required

Prerequisites: Access to the admin panel · Valid session token

MITRE ATT&CK

T1189 - Drive-by Compromise T1190 - Exploit Public-Facing Application

devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (4)

Core 4

Core References

Exploit, Third Party Advisory, VDB Entry exploit

https://www.exploit-db.com/exploits/51565

Product product

https://podcastgenerator.net/

Product product

https://github.com/PodcastGenerator/PodcastGenerator

Third Party Advisory third-party-advisory

https://www.vulncheck.com/advisories/podcastgenerator-blind-server-side-request-forgery-via-xml-injection

Scores

CVSS v3 9.8

EPSS 0.0049

EPSS Percentile 38.1%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment

Exploitation poc

Automatable yes

Technical Impact total

Details

CWE

CWE-918

Status published

Products (1)

podcastgenerator/podcast_generator 3.2.9

Published Dec 16, 2025

Tracked Since Feb 18, 2026