YetiShare File Hosting Script 5.1.0 Remote File Upload SSRF Vulnerability

Advisories

severity: medium
date: January 22, 2026
Affecting: YetiShare File Hosting Script v5.1.0
CVE: CVE-2021-47899
CWE: CWE-434 Unrestricted Upload of File with Dangerous Type
CVSS: 6.9
CVSS V4 Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:L/SI:L/SA:L
References: ExploitDB-49534
Vendor Homepage
Software Product Page
Credit: Numan Türle
Description: YetiShare File Hosting Script 5.1.0 contains a server-side request forgery vulnerability that allows attackers to read local system files through the remote file upload feature. Attackers can exploit the url parameter in the url_upload_handler endpoint to access sensitive files like /etc/passwd by using file:/// protocol.