CVE-2023-53899

CriticalPublic PoCUpdated

Published: 16 December 2025

Published

16 December 2025

Modified

29 April 2026

KEV Added

—

Patch

—

CVSS Score 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

EPSS Score 0.0018 38.6th percentile

Risk Priority 20 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2023-53899 is a critical-severity SSRF (CWE-918) vulnerability in Podcastgenerator Podcast Generator. Its CVSS base score is 9.8 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 38.6th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SC-7 (Boundary Protection) and SI-10 (Information Input Validation).

Threat & Defense at a Glance

What attackers do: exploitation maps to Exploit Public-Facing Application (T1190) and 1 other technique. What defenders deploy: see the NIST 800-53 controls recommended below.

Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-10 Information Input Validation good match

prevent

Validates user inputs like the 'shortdesc' parameter in the episode upload form to prevent XML injection that triggers blind SSRF.

SI-2 Flaw Remediation good match

prevent

Identifies, prioritizes, and remediates the specific SSRF flaw (CVE-2023-53899) in PodcastGenerator 3.2.9 through patching or code fixes.

SC-7 Boundary Protection good match

prevent

Boundary protection at network perimeters blocks unauthorized outbound HTTP requests to arbitrary external endpoints initiated by SSRF.

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

attack.mitre.org →

T1046 Network Service Discovery Discovery

Adversaries may attempt to get a listing of services running on remote hosts and local network infrastructure devices, including those that may be vulnerable to remote software exploitation.

attack.mitre.org →

Why these techniques?

T1190 directly matches exploitation of a public-facing web application vulnerability (unauthenticated SSRF via episode upload form). T1046 is facilitated by blind SSRF enabling internal network scanning and access to sensitive services.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

NVD Description

PodcastGenerator 3.2.9 contains a blind server-side request forgery vulnerability that allows attackers to inject XML in the episode upload form. Attackers can manipulate the 'shortdesc' parameter to trigger external HTTP requests to arbitrary endpoints during podcast episode creation.

Deeper analysisAI

CVE-2023-53899 is a blind server-side request forgery (SSRF) vulnerability, classified under CWE-918, affecting PodcastGenerator version 3.2.9. The flaw exists in the episode upload form, where attackers can inject malicious XML by manipulating the 'shortdesc' parameter. This injection triggers external HTTP requests to arbitrary endpoints controlled by the attacker during the podcast episode creation process.

The vulnerability carries a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), making it remotely exploitable over the network with low attack complexity, no privileges or user interaction required, and high impacts across confidentiality, integrity, and availability. Unauthenticated attackers can leverage it to force the PodcastGenerator server to initiate HTTP requests to arbitrary external endpoints.

Advisories and references include the PodcastGenerator GitHub repository (https://github.com/PodcastGenerator/PodcastGenerator), official site (https://podcastgenerator.net/), a proof-of-concept exploit on Exploit-DB (https://www.exploit-db.com/exploits/51565), and a VulnCheck advisory detailing the SSRF via XML injection (https://www.vulncheck.com/advisories/podcastgenerator-blind-server-side-request-forgery-via-xml-injection). No specific patch or mitigation details are provided in the available information.