QSearchQSearch

CVE-2021-39497

9.8 CRITICAL

eyoucms 1.5.4 lacks sanitization of input data, allowing an attacker to inject a url to trigger blind SSRF via the saveRemote() function

Published: 2021-09-07 · Last updated: 2026-06-17

Severity and scoring

CVSS
9.8 CRITICAL
Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CWE
CWE-918

Affected products

VendorProduct
eyoucmseyoucms

Description

eyoucms 1.5.4 lacks sanitization of input data, allowing an attacker to inject a url to trigger blind SSRF via the saveRemote() function.

Source: NVD

References

Related CVEs

Same vendor

  • CVE-2021-39501 EyouCMS 1.5.4 is vulnerable to Open Redirect (6.1 MEDIUM)
  • CVE-2021-39500 Eyoucms 1.5.4 is vulnerable to Directory Traversal (7.5 HIGH)
  • CVE-2021-39499 A Cross-site scripting (XSS) vulnerability in Users in Qiong ICP EyouCMS 1.5.4 allows remote attackers to inject arbitrary web script or ... (6.1 MEDIUM)
  • CVE-2021-39496 Eyoucms 1.5.4 lacks sanitization of input data, allowing an attacker to inject malicious code into `filename` param to trigger Reflected XSS (5.4 MEDIUM)

Same CWE

  • CVE-2026-53859 OpenClaw before 2026.5.26 contains a hostname validation vulnerability allowing attackers to bypass blocklist comparisons using trailing-... (6.5 MEDIUM)
  • CVE-2026-47684 Sync-in Server is a secure, open-source platform for file storage, sharing, collaboration, and syncing (7.7 HIGH)
  • CVE-2025-60175 Administrator Server Side Request Forgery (SSRF) in PopAd <= 1.0.4 versions (4.4 MEDIUM)
  • CVE-2026-50888 An authenticated Server-Side Request Forgery (SSRF) in the custom scraper subsystem component of Benjamin Jonard Koillection v1.8.0 allow... (8.1 HIGH)
  • CVE-2026-50887 A Server-Side Request Forgery (SSRF) in the automatic short URL title resolution component of shlink v5.0.1 allows attackers to scan inte... (9.1 CRITICAL)