← Back to CVEs

CVE-2023-53899

CRITICAL

9.8

Description

PodcastGenerator 3.2.9 contains a blind server-side request forgery vulnerability that allows attackers to inject XML in the episode upload form. Attackers can manipulate the 'shortdesc' parameter to trigger external HTTP requests to arbitrary endpoints during podcast episode creation.

CVE Details

CVSS v3.1 Score9.8

SeverityCRITICAL

CVSS VectorCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Attack VectorNETWORK

ComplexityLOW

Privileges RequiredNONE

User InteractionNONE

Published12/16/2025

Last Modified12/30/2025

Sourcenvd

Honeypot Sightings0

Affected Products

podcastgenerator:podcast_generator

Weaknesses (CWE)

CWE-918

References

https://github.com/PodcastGenerator/PodcastGenerator(disclosure@vulncheck.com)

https://podcastgenerator.net/(disclosure@vulncheck.com)

https://www.exploit-db.com/exploits/51565(disclosure@vulncheck.com)

https://www.vulncheck.com/advisories/podcastgenerator-blind-server-side-request-forgery-via-xml-injection(disclosure@vulncheck.com)

IOC Correlations

No correlations recorded

This product uses data from the NVD API but is not endorsed or certified by the NVD.