CouchCMS 2.2.1 contains a cross‑site scripting flaw that permits an authenticated attacker to upload SVG files with embedded <script> tags through the file upload interface. When those files are accessed or previewed via the browse.php endpoint, the browser executes the malicious JavaScript. The flaw allows an attacker to run arbitrary client‑side code in the context of any user who opens the uploaded file.

The vulnerability affects CouchCMS releases from version 1.3.5 through at least 2.3, including 2.2.1. The affected vendor and product is CouchCMS, CouchCMS. The CPE list enumerates all versions in that range, so any installation that has not been updated past 2.3 may be susceptible.

The CVSS score of 5.1 indicates moderate severity. The EPSS score is unavailable and the vulnerability is not listed in the CISA KEV catalog. Exploitation requires valid credentials to create an upload, after which the attacker can place a malicious SVG that will execute when viewed. Because the flaw is only exploitable by authenticated users and, based on the provided exploit-db reference, it is inferred that a publicly documented exploit exists (though the extent of real-world usage is not specified), the overall risk remains moderate, but organizations should prioritize remediation to avoid a potential XSS attack vector.