CVE-2026-21433
Unknown Unknown - Not Provided
Server-Side SSRF via SVG Upload in Emlog

Publication date: 2026-01-02

Last updated on: 2026-01-02

Assigner: GitHub, Inc.

Description
Emlog is an open source website building system. Versions up to and including 2.5.19 are vulnerable to server-side Out-of-Band (OOB) requests / SSRF via uploaded SVG files. An attacker can upload a crafted SVG to http[:]//emblog/admin/media[.]php which contains external resource references. When the server processes/renders the SVG (thumbnailing, preview, or sanitization), it issues an HTTP request to the attacker-controlled host. Impact: server-side SSRF/OOB leading to internal network probing and potential metadata/credential exposure. As of time of publication, no known patched versions are available.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-01-02
Last Modified
2026-01-02
Generated
2026-06-16
AI Q&A
2026-01-02
EPSS Evaluated
2026-06-15
NVD
CVE-2026-21433
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
emlog emlog to 2.5.19 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-918 The web server receives a URL or similar request from an upstream component and retrieves the contents of this URL, but it does not sufficiently ensure that the request is being sent to the expected destination.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-21433 is a Server-Side Request Forgery (SSRF) vulnerability in emlog versions up to 2.5.19. It occurs because the application allows uploading SVG files that contain external resource references. When the server processes these SVG files (for thumbnailing, preview, or sanitization), it makes HTTP requests to attacker-controlled servers due to these external references. This enables attackers to perform out-of-band SSRF attacks, causing the server to make arbitrary HTTP requests on their behalf. [1]

Impact Analysis

This vulnerability can lead to the server making arbitrary HTTP requests to internal or external resources controlled by an attacker. This allows internal network probing, port and service discovery, and potential access to sensitive internal resources such as cloud instance metadata endpoints. Consequently, attackers may obtain credentials or secrets, enabling further attacks like data exfiltration or lateral movement within the network. [1]

Detection Guidance

Detection can be done by monitoring outbound HTTP requests from the server, especially those triggered by processing SVG uploads. One can set up a listener on an external server to detect if the server makes HTTP requests when a crafted SVG is uploaded. Additionally, inspecting logs for unexpected outbound connections or using network monitoring tools to detect unusual HTTP requests to external or internal IPs (such as 169.254.169.254) can help. Specific commands are not provided in the resources, but typical approaches include using tcpdump or Wireshark to monitor outbound traffic, or setting up a simple HTTP server to catch SSRF attempts. [1]

Mitigation Strategies

Immediate mitigation steps include disabling SVG uploads on the media upload endpoint until a fix is available and restricting outbound HTTP requests from the server via egress firewall rules, especially blocking access to cloud metadata IPs such as 169.254.169.254. [1]

Compliance Impact

This vulnerability can lead to the exposure of sensitive internal resources, including metadata and credentials, through server-side SSRF attacks. Such exposure risks unauthorized access to confidential data, which may result in non-compliance with data protection regulations like GDPR and HIPAA that require safeguarding personal and sensitive information. Therefore, organizations using affected versions of emlog could face compliance issues if this vulnerability is exploited and leads to data breaches. [1]

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-21433. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart