{"id":"CVE-2021-33199","details":"In Expression Engine before 6.0.3, addonIcon in Addons/file/mod.file.php relies on the untrusted input value of input-\u003eget('file') instead of the fixed file names of icon.png and icon.svg.","modified":"2026-05-19T04:02:12.672005283Z","published":"2021-08-12T21:15:07.500Z","database_specific":{},"references":[{"type":"ADVISORY","url":"https://github.com/ExpressionEngine/ExpressionEngine/releases/tag/6.0.3"},{"type":"FIX","url":"https://github.com/ExpressionEngine/ExpressionEngine/compare/6.0.1...6.0.3#diff-17bcb23e5666fc2dccb79c7133e9eeb701847f67ae84fbde0a673c3fd3d109e0R508"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/expressionengine/expressionengine","events":[{"introduced":"0"},{"fixed":"c07f240e92b0a2e05d0b3dcafcf5898421140491"}],"database_specific":{"cpe":"cpe:2.3:a:expressionengine:expressionengine:*:*:*:*:*:*:*:*","extracted_events":[{"introduced":"0"},{"fixed":"6.0.3"}],"source":["CPE_FIELD","REFERENCES"]}}],"versions":["6.0.2","6.0.1","6.0.0"],"database_specific":{"source":"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2021-33199.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}]}