VYPR

CWE-918

Server-Side Request Forgery (SSRF)

BaseIncomplete

Description

The web server receives a URL or similar request from an upstream component and retrieves the contents of this URL, but it does not sufficiently ensure that the request is being sent to the expected destination.

Hierarchy (View 1000)

Parents

Children

none

Related attack patterns (CAPEC)

CAPEC-664

CVEs mapped to this weakness (1,583)

page 18 of 80
  • CVE-2026-42858HigMay 11, 2026
    risk 0.48cvss 8.5epss 0.00

    Open edX Platform enables the authoring and delivery of online learning at any scale. The sync_provider_data endpoint in SAMLProviderDataViewSet allows authenticated Enterprise Admin users to supply an arbitrary URL via the metadata_url POST parameter. This URL is passed…

  • CVE-2026-42449HigMay 7, 2026
    risk 0.48cvss 8.5epss 0.00

    n8n-MCP is an MCP server that provides AI assistants access to n8n node documentation, properties, and operations. In versions 2.47.4 through 2.47.13, the SDK embedder path (N8NDocumentationMCPServer constructor, getN8nApiClient(), and validateInstanceContext()), the synchronous…

  • CVE-2026-42439HigMay 5, 2026
    risk 0.48cvss 8.5epss 0.00

    OpenClaw before 2026.4.10 contains a server-side request forgery policy bypass vulnerability in the browser tabs action select and close routes. Attackers can bypass configured browser SSRF policy protections by exploiting the /tabs/action endpoint to perform unauthorized tab…

  • CVE-2026-41914HigApr 28, 2026
    risk 0.48cvss 8.5epss 0.00

    OpenClaw before 2026.4.8 contains a server-side request forgery vulnerability in QQ Bot media download paths that bypass SSRF protection. Attackers can exploit unprotected media fetch endpoints to access internal resources and bypass allowlist policies.

  • CVE-2026-41455HigApr 22, 2026
    risk 0.48cvss 8.5epss 0.00

    WeKan before 8.35 contains a server-side request forgery vulnerability in webhook integration URL handling where the URL scheme field accepts any string without protocol restriction or destination validation. Attackers who can create or modify integrations can set webhook URLs…

  • CVE-2026-39974HigApr 9, 2026
    risk 0.48cvss 8.5epss 0.00

    n8n-MCP is a Model Context Protocol (MCP) server that provides AI assistants with comprehensive access to n8n node documentation, properties, and operations. Prior to 2.47.4, an authenticated Server-Side Request Forgery in n8n-mcp allows a caller holding a valid AUTH_TOKEN to…

  • CVE-2026-34076HigApr 1, 2026
    risk 0.48cvss 7.4epss 0.00

    Clerk JavaScript is the official JavaScript repository for Clerk authentication. In @clerk/hono from versions 0.1.0 to before 0.1.5, @clerk/express from versions 2.0.0 to before 2.0.7, @clerk/backend from versions 3.0.0 to before 3.2.3, and @clerk/fastify from versions 3.1.0 to…

  • CVE-2026-33953HigMar 27, 2026
    risk 0.48cvss 8.5epss 0.00

    LinkAce is a self-hosted archive to collect website links. Versions prior to 2.5.3 block direct requests to private IP literals, but still performs server-side requests to internal-only resources when those resources are referenced through an internal hostname. This allows an…

  • CVE-2026-31943HigMar 27, 2026
    risk 0.48cvss 8.5epss 0.00

    LibreChat is a ChatGPT clone with additional features. Prior to version 0.8.3, `isPrivateIP()` in `packages/api/src/auth/domain.ts` fails to detect IPv4-mapped IPv6 addresses in their hex-normalized form, allowing any authenticated user to bypass SSRF protection and make the…

  • CVE-2025-32355HigFeb 17, 2026
    risk 0.48cvss 7.3epss 0.01

    Rocket TRUfusion Enterprise through 7.10.4.0 uses a reverse proxy to handle incoming connections. However, the proxy is misconfigured in a way that allows specifying absolute URLs in the HTTP request line, causing the proxy to load the given resource.

  • CVE-2025-62155HigNov 25, 2025
    risk 0.48cvss 8.5epss 0.00

    New API is a large language mode (LLM) gateway and artificial intelligence (AI) asset management system. Prior to version 0.9.6, a recently patched SSRF vulnerability contains a bypass method that can bypass the existing security fix and still allow SSRF to occur. Because the…

  • CVE-2025-59146HigOct 9, 2025
    risk 0.48cvss 8.5epss 0.00

    New API is a large language mode (LLM) gateway and artificial intelligence (AI) asset management system. An authenticated Server-Side Request Forgery (SSRF) vulnerability exists in versions prior to 0.9.0.5. A feature within the application allows authenticated users to submit a…

  • CVE-2023-3958HigAug 16, 2023
    risk 0.48cvss 8.5epss 0.01

    The WP Remote Users Sync plugin for WordPress is vulnerable to Server Side Request Forgery via the 'notify_ping_remote' AJAX function in versions up to, and including, 1.2.12. This can allow authenticated attackers with subscriber-level permissions or above to make web requests…

  • CVE-2018-7516HigMar 22, 2018
    risk 0.48cvss 7.3epss 0.01

    A server-side request forgery vulnerability has been identified in Geutebruck G-Cam/EFD-2250 Version 1.12.0.4 and Topline TopFD-2125 Version 3.15.1 IP cameras, which could lead to proxied network scans.

  • CVE-2017-6130HigApr 6, 2017
    risk 0.48cvss 7.4epss 0.01

    F5 SSL Intercept iApp 1.5.0 - 1.5.7 and SSL Orchestrator 2.0 is vulnerable to a Server-Side Request Forgery (SSRF) attack when deployed using the Dynamic Domain Bypass (DDB) feature feature plus SNAT Auto Map option for egress traffic.

  • CVE-2017-7272HigMar 27, 2017
    risk 0.48cvss 7.4epss 0.04

    PHP through 7.1.11 enables potential SSRF in applications that accept an fsockopen or pfsockopen hostname argument with an expectation that the port number is constrained. Because a :port syntax is recognized, fsockopen will use the port number that is specified in the hostname…

  • CVE-2017-5617HigMar 16, 2017
    risk 0.48cvss 7.4epss 0.02

    The SVG Salamander (aka svgSalamander) library, when used in a web application, allows remote attackers to conduct server-side request forgery (SSRF) attacks via an xlink:href attribute in an SVG file.

  • CVE-2016-9417HigJan 31, 2017
    risk 0.48cvss 7.4epss 0.02

    The fetch_remote_file function in MyBB (aka MyBulletinBoard) before 1.8.8 and MyBB Merge System before 1.8.8 allows remote attackers to conduct server-side request forgery (SSRF) attacks via unspecified vectors.

  • CVE-2016-7999HigJan 18, 2017
    risk 0.48cvss 7.4epss 0.02

    ecrire/exec/valider_xml.php in SPIP 3.1.2 and earlier allows remote attackers to conduct server side request forgery (SSRF) attacks via a URL in the var_url parameter in a valider_xml action.

  • CVE-2017-5518HigJan 17, 2017
    risk 0.48cvss 7.4epss 0.02

    The media-file upload feature in GeniXCMS through 0.0.8 allows remote attackers to conduct SSRF attacks via a URL, as demonstrated by a URL with an intranet IP address.