VYPR

CWE-918

Server-Side Request Forgery (SSRF)

BaseIncomplete

Description

The web server receives a URL or similar request from an upstream component and retrieves the contents of this URL, but it does not sufficiently ensure that the request is being sent to the expected destination.

Hierarchy (View 1000)

Parents

Children

none

Related attack patterns (CAPEC)

CAPEC-664

CVEs mapped to this weakness (1,583)

page 28 of 80
  • CVE-2026-42398HigMay 28, 2026
    risk 0.43cvss 7.7epss 0.00

    Server-Side Request Forgery (CWE-918) in Kibana allows authenticated users with connector management privileges to bypass the operator-configured connection allowlist. By configuring a Webhook connector with a crafted target, an attacker can cause Kibana to issue outbound…

  • CVE-2026-48146HigMay 27, 2026
    risk 0.43cvss 7.7epss 0.00

    Budibase is an open-source low-code platform. Prior to 3.39.0, the OAuth2 token fetch function in packages/server/src/sdk/workspace/oauth2/utils.ts uses raw fetch(config.url) with no SSRF protection. The safe wrapper fetchWithBlacklist() exists in the same codebase and is used…

  • CVE-2026-45715HigMay 27, 2026
    risk 0.43cvss 7.7epss 0.00

    Budibase is an open-source low-code platform. Prior to 3.38.1, the REST datasource integration (packages/server/src/integrations/rest.ts) follows HTTP redirects without re-checking the IP blacklist, allowing an authenticated Builder to access internal services (cloud metadata,…

  • CVE-2026-45548HigMay 27, 2026
    risk 0.43cvss 7.7epss 0.00

    Budibase is an open-source low-code platform. Prior to 3.34.8, the processUrlFile function in packages/server/src/automations/steps/ai/extract.ts uses fetch(fileUrl) directly without the IP blacklist validation that is consistently applied to all other automation steps. This…

  • CVE-2026-45061HigMay 27, 2026
    risk 0.43cvss 7.7epss 0.00

    Budibase is an open-source low-code platform. Prior to 3.35.10, the Plugin URL upload endpoint (POST /api/plugin) validates the submitted URL with a single substring check: url.includes(".tar.gz"). Any URL containing .tar.gz anywhere in the string — in the path, query string,…

  • CVE-2026-48918MedMay 27, 2026
    risk 0.43cvss 6.6epss 0.00

    Jenkins Active Directory Plugin 2.41 and earlier follows LDAP referrals by default.

  • CVE-2026-48916MedMay 27, 2026
    risk 0.43cvss 6.6epss 0.00

    Jenkins LDAP Plugin 807.v7d7de30930cf and earlier follows LDAP referrals.

  • CVE-2026-43884HigMay 11, 2026
    risk 0.43cvss 7.7epss 0.00

    WWBN AVideo is an open source video platform. In versions up to and including 29.0, two endpoints (plugin/AI/receiveAsync.json.php and objects/EpgParser.php) in AVideo call isSSRFSafeURL() to validate user-supplied URLs, then fetch them using bare file_get_contents() without…

  • CVE-2026-42345HigMay 8, 2026
    risk 0.43cvss 7.7epss 0.00

    FastGPT is an AI Agent building platform. In versions 4.14.11 and prior, FastGPT's isInternalAddress() function in packages/service/common/system/utils.ts blocks cloud metadata endpoints using a fullUrl.startsWith() check against a hardcoded list. This check can be bypassed…

  • CVE-2026-41905HigMay 7, 2026
    risk 0.43cvss 7.7epss 0.00

    FreeScout is a free help desk and shared inbox built with PHP's Laravel framework. Prior to version 1.8.217, Helper::sanitizeRemoteUrl() in app/Misc/Helper.php follows HTTP redirects via curlGetLastRedirectedUrl() but then re-validates the original URL instead of the final…

  • CVE-2026-41688HigMay 7, 2026
    risk 0.43cvss 7.7epss 0.00

    Wallos is an open-source, self-hostable personal subscription tracker. In versions 4.8.4 and prior, the incomplete SSRF fix in Wallos validates webhook URLs via gethostbyname() but passes the original hostname to cURL without CURLOPT_RESOLVE pinning on 10 of 11 outbound HTTP…

  • CVE-2026-43580HigMay 6, 2026
    risk 0.43cvss 7.7epss 0.00

    OpenClaw before 2026.4.10 contains an incomplete navigation guard vulnerability that allows attackers to trigger navigation without complete SSRF policy enforcement. Browser press/type style interactions, including pressKey and type submit flows, can bypass post-action security…

  • CVE-2026-43576HigMay 6, 2026
    risk 0.43cvss 7.7epss 0.00

    OpenClaw before 2026.4.5 contains a server-side request forgery vulnerability in the CDP /json/version WebSocket endpoint that allows attackers to pivot to untrusted second-hop targets. The webSocketDebuggerUrl response field is not properly validated, enabling attackers to…

  • CVE-2026-43573HigMay 5, 2026
    risk 0.43cvss 7.7epss 0.00

    OpenClaw before 2026.4.10 contains a server-side request forgery policy bypass vulnerability in existing-session browser interaction routes. Attackers can bypass SSRF navigation guards to interact with or navigate to unauthorized targets without policy enforcement.

  • CVE-2026-43527HigMay 5, 2026
    risk 0.43cvss 7.7epss 0.00

    OpenClaw before 2026.4.14 contains a server-side request forgery vulnerability in browser SSRF policy that allows private-network navigation by default. Attackers can exploit this misconfiguration to access internal services or metadata endpoints through browser-driven requests.

  • CVE-2026-42436HigMay 5, 2026
    risk 0.43cvss 7.7epss 0.00

    OpenClaw before 2026.4.14 contains an improper access control vulnerability in browser snapshot, screenshot, and tab routes that fail to consistently validate the final browser target after navigation. Authenticated callers can bypass SSRF restrictions to expose internal or…

  • CVE-2026-41060HigApr 21, 2026
    risk 0.43cvss 7.7epss 0.00

    WWBN AVideo is an open source video platform. In versions 29.0 and below, the `isSSRFSafeURL()` function in `objects/functions.php` contains a same-domain shortcircuit (lines 4290-4296) that allows any URL whose hostname matches `webSiteRootURL` to bypass all SSRF protections.…

  • CVE-2026-34428HigApr 20, 2026
    risk 0.43cvss 7.7epss 0.00

    Vvveb prior to 1.0.8.1 contains a server-side request forgery vulnerability in the oEmbedProxy action of the editor/editor module where the url parameter is passed directly to getUrl() via curl without scheme or destination validation. Authenticated backend users can supply…

  • CVE-2026-40348HigApr 18, 2026
    risk 0.43cvss 7.7epss 0.00

    Movary is a self hosted web app to track and rate a user's watched movies. Prior to version 0.71.1, an ordinary authenticated user can trigger server-side requests to arbitrary internal targets through `POST /settings/jellyfin/server-url-verify`. The endpoint accepts a…

  • CVE-2026-31941HigApr 10, 2026
    risk 0.43cvss 7.7epss 0.00

    Chamilo LMS is a learning management system. Prior to 1.11.38 and 2.0.0-RC.3, Chamilo LMS contains a Server-Side Request Forgery (SSRF) vulnerability in the Social Wall feature. The endpoint read_url_with_open_graph accepts a URL from the user via the social_wall_new_msg_main…