VYPR

CWE-918

Server-Side Request Forgery (SSRF)

BaseIncomplete

Description

The web server receives a URL or similar request from an upstream component and retrieves the contents of this URL, but it does not sufficiently ensure that the request is being sent to the expected destination.

Hierarchy (View 1000)

Parents

Children

none

Related attack patterns (CAPEC)

CAPEC-664

CVEs mapped to this weakness (1,583)

page 17 of 80
  • CVE-2018-15895HigAug 27, 2018
    risk 0.49cvss 7.5epss 0.01

    An SSRF vulnerability was discovered in idreamsoft iCMS 7.0.11 because the remote function in app/spider/spider_tools.class.php does not block DNS hostnames associated with private and reserved IP addresses, as demonstrated by 127.0.0.1 in an A record. NOTE: this vulnerability…

  • CVE-2018-15192HigAug 8, 2018
    risk 0.49cvss 8.6epss 0.02

    An SSRF vulnerability in webhooks in Gitea through 1.5.0-rc2 and Gogs through 0.11.53 allows remote attackers to access intranet services.

  • CVE-2018-14858HigAug 2, 2018
    risk 0.49cvss 7.5epss 0.01

    An SSRF vulnerability was discovered in idreamsoft iCMS before V7.0.11 because the remote function in app/spider/spider_tools.class.php does not block private and reserved IP addresses such as 10.0.0.0/8. NOTE: this vulnerability exists because of an incomplete fix for…

  • CVE-2018-5004HigJul 20, 2018
    risk 0.49cvss 7.5epss 0.04

    Adobe Experience Manager versions 6.2 and 6.3 have a Server-Side Request Forgery vulnerability. Successful exploitation could lead to sensitive information disclosure.

  • CVE-2018-12809HigJul 20, 2018
    risk 0.49cvss 7.5epss 0.05

    Adobe Experience Manager versions 6.4 and earlier have a Server-Side Request Forgery vulnerability. Successful exploitation could lead to sensitive information disclosure.

  • CVE-2018-7055HigFeb 15, 2018
    risk 0.49cvss 7.5epss 0.01

    GroupViewProxyServlet in RoomWizard before 4.4.x allows SSRF via the url parameter.

  • CVE-2018-6029HigJan 23, 2018
    risk 0.49cvss 7.5epss 0.01

    The copy function in application/admin/controller/Article.php in NoneCms 1.3.0 allows remote attackers to access the content of internal and external network resources via Server Side Request Forgery (SSRF), because URL validation only considers whether the URL contains the…

  • CVE-2017-1000419HigJan 2, 2018
    risk 0.49cvss 7.5epss 0.01

    phpBB version 3.2.0 is vulnerable to SSRF in the Remote Avatar function resulting allowing an attacker to perform port scanning, requesting internal content and potentially attacking such internal services via the web application.

  • CVE-2017-4928HigNov 17, 2017
    risk 0.49cvss 7.5epss 0.01

    The flash-based vSphere Web Client (6.0 prior to 6.0 U3c and 5.5 prior to 5.5 U3f) i.e. not the new HTML5-based vSphere Client, contains SSRF and CRLF injection issues due to improper neutralization of URLs. An attacker may exploit these issues by sending a POST request with…

  • CVE-2017-9066HigMay 18, 2017
    risk 0.49cvss 8.6epss 0.04

    In WordPress before 4.7.5, there is insufficient redirect validation in the HTTP class, leading to SSRF.

  • CVE-2026-49120HigJun 2, 2026
    risk 0.48cvss 8.5epss 0.00

    Medplum before 5.1.14 contains a server-side request forgery vulnerability in the subscription worker that allows authenticated users to perform unauthorized internal network requests by creating FHIR Subscription resources with arbitrary endpoint URLs. Attackers can point…

  • CVE-2026-46372HigMay 29, 2026
    risk 0.48cvss 8.5epss 0.01

    SillyTavern is a locally installed user interface that allows users to interact with text generation large language models, image generation engines, and text-to-speech voice models. Prior to 1.18.0, SillyTavern exposes /api/search/searxng, which accepts attacker-controlled…

  • CVE-2026-44797HigMay 28, 2026
    risk 0.48cvss 8.5epss 0.00

    Nautobot is a Network Source of Truth and Network Automation Platform. Prior to 2.4.33 and 3.1.2, Nautobot's Webhook data model and associated feature set could be configured by users with sufficient access to perform requests to various hosts and IP addresses that should not be…

  • CVE-2026-48153HigMay 27, 2026
    risk 0.48cvss 8.5epss 0.00

    Budibase is an open-source low-code platform. Prior to 3.39.0, fetchToken in the OAuth2 SDK makes a POST to a builder-supplied URL with plain node-fetch, skipping the blacklist.isBlacklisted check that every other outbound fetch path in the codebase uses. The Joi schema for the…

  • CVE-2026-45401HigMay 15, 2026
    risk 0.48cvss 8.5epss 0.00

    Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to 0.9.5, the validate_url() function in backend/open_webui/retrieval/web/utils.py only validates the initial URL submitted by the caller. The HTTP clients used downstream…

  • CVE-2026-45400HigMay 15, 2026
    risk 0.48cvss 8.5epss 0.00

    Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to 0.9.5, a parsing difference between the urlparse and requests libraries led to an SSRF bypass vulnerability. This vulnerability is fixed in 0.9.5.

  • CVE-2026-45331HigMay 15, 2026
    risk 0.48cvss 8.5epss 0.00

    Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to 0.9.0, validate_url() in backend/open_webui/retrieval/web/utils.py calls validators.ipv6(ip, private=True), but the validators library does NOT implement the private…

  • CVE-2026-44015HigMay 12, 2026
    risk 0.48cvss 8.5epss 0.00

    Nginx UI is a web user interface for the Nginx web server. In 2.3.4 and earlier, an authenticated user can perform Server-Side Request Forgery (SSRF) by creating a cluster node pointing to an arbitrary internal URL and then sending API requests with the X-Node-ID header. The…

  • CVE-2026-34647HigMay 12, 2026
    risk 0.48cvss 7.4epss 0.00

    Adobe Commerce versions 2.4.9-beta1, 2.4.8-p4, 2.4.7-p9, 2.4.6-p14, 2.4.5-p16, 2.4.4-p17 and earlier are affected by a Server-Side Request Forgery (SSRF) vulnerability that could result in a Security feature bypass. An attacker could leverage this vulnerability to bypass…

  • CVE-2026-42860HigMay 11, 2026
    risk 0.48cvss 8.5epss 0.00

    The Open edx Enterprise Service app provides enterprise features to the Open edX platform. From 7.0.2 to 7.0.4, the sync_provider_data endpoint in SAMLProviderDataViewSet fetches SAML metadata from a URL stored in SAMLProviderConfig.metadata_source. An authenticated user with…