CVE-2021-47899 PUBLISHED

YetiShare File Hosting Script 5.1.0 Remote File Upload SSRF Vulnerability

Assigner: VulnCheck
Reserved: 18.01.2026 Published: 23.01.2026 Updated: 23.01.2026

YetiShare File Hosting Script 5.1.0 contains a server-side request forgery vulnerability that allows attackers to read local system files through the remote file upload feature. Attackers can exploit the url parameter in the url_upload_handler endpoint to access sensitive files like /etc/passwd by using file:/// protocol.

Metrics

CVSS Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:L/SI:L/SA:L
CVSS Score: 6.9

Product Status

Vendor Mfscripts
Product YetiShare File Hosting Script
Versions
  • Version v5.1.0 is affected

Credits

  • Numan Türle finder

References

Problem Types

  • Unrestricted Upload of File with Dangerous Type CWE