CVE-2026-21433
Server-Side SSRF via SVG Upload in Emlog
Publication date: 2026-01-02
Last updated on: 2026-01-02
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| emlog | emlog | to 2.5.19 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-918 | The web server receives a URL or similar request from an upstream component and retrieves the contents of this URL, but it does not sufficiently ensure that the request is being sent to the expected destination. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-21433 is a Server-Side Request Forgery (SSRF) vulnerability in emlog versions up to 2.5.19. It occurs because the application allows uploading SVG files that contain external resource references. When the server processes these SVG files (for thumbnailing, preview, or sanitization), it makes HTTP requests to attacker-controlled servers due to these external references. This enables attackers to perform out-of-band SSRF attacks, causing the server to make arbitrary HTTP requests on their behalf. [1]
How can this vulnerability impact me? :
This vulnerability can lead to the server making arbitrary HTTP requests to internal or external resources controlled by an attacker. This allows internal network probing, port and service discovery, and potential access to sensitive internal resources such as cloud instance metadata endpoints. Consequently, attackers may obtain credentials or secrets, enabling further attacks like data exfiltration or lateral movement within the network. [1]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
Detection can be done by monitoring outbound HTTP requests from the server, especially those triggered by processing SVG uploads. One can set up a listener on an external server to detect if the server makes HTTP requests when a crafted SVG is uploaded. Additionally, inspecting logs for unexpected outbound connections or using network monitoring tools to detect unusual HTTP requests to external or internal IPs (such as 169.254.169.254) can help. Specific commands are not provided in the resources, but typical approaches include using tcpdump or Wireshark to monitor outbound traffic, or setting up a simple HTTP server to catch SSRF attempts. [1]
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include disabling SVG uploads on the media upload endpoint until a fix is available and restricting outbound HTTP requests from the server via egress firewall rules, especially blocking access to cloud metadata IPs such as 169.254.169.254. [1]
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
This vulnerability can lead to the exposure of sensitive internal resources, including metadata and credentials, through server-side SSRF attacks. Such exposure risks unauthorized access to confidential data, which may result in non-compliance with data protection regulations like GDPR and HIPAA that require safeguarding personal and sensitive information. Therefore, organizations using affected versions of emlog could face compliance issues if this vulnerability is exploited and leads to data breaches. [1]