VYPR

CWE-918

Server-Side Request Forgery (SSRF)

BaseIncomplete

Description

The web server receives a URL or similar request from an upstream component and retrieves the contents of this URL, but it does not sufficiently ensure that the request is being sent to the expected destination.

Hierarchy (View 1000)

Parents

Children

none

Related attack patterns (CAPEC)

CAPEC-664

CVEs mapped to this weakness (1,583)

page 30 of 80
  • CVE-2017-18638HigOct 11, 2019
    risk 0.43cvss 7.5epss 0.17

    send_email in graphite-web/webapp/graphite/composer/views.py in Graphite through 1.1.5 is vulnerable to SSRF. The vulnerable SSRF endpoint can be used by an attacker to have the Graphite web server request any resource. The response to this SSRF request is encoded into an image…

  • CVE-2019-6257HigJan 14, 2019
    risk 0.43cvss 7.7epss 0.01

    A Server Side Request Forgery (SSRF) vulnerability in elFinder before 2.1.46 could allow a malicious user to access the content of internal network resources. This occurs in get_remote_contents() in php/elFinder.class.php.

  • CVE-2017-0929HigJul 3, 2018
    risk 0.43cvss 7.5epss 0.13

    DNN (aka DotNetNuke) before 9.2.0 suffers from a Server-Side Request Forgery (SSRF) vulnerability in the DnnImageHandler class. Attackers may be able to access information about internal network resources.

  • CVE-2026-46697HigJun 11, 2026
    risk 0.42cvss 7.5epss 0.00

    Fediverse Embeds embeds fediverse posts on WordPress sites. Prior to version 1.5.8, Fediverse Embeds registered an unauthenticated REST route ftf/media-proxy (includes/Media_Proxy.php) with permission_callback => __return_true that accepted a base64-encoded URL and forwarded it…

  • CVE-2026-45561MedJun 10, 2026
    risk 0.42cvss 6.5epss 0.00

    Roxy-WI is a web interface for managing Haproxy, Nginx, Apache and Keepalived servers. In versions 8.2.6.4 and prior, the /smon/agent/{version,uptime,status,checks}/<server_ip> family of routes takes the URL path component verbatim into requests.get(f'http://{server_ip}:{agent_po…

  • CVE-2026-45501MedJun 9, 2026
    risk 0.42cvss 6.5epss 0.00

    Improper neutralization of input during web page generation ('cross-site scripting') in Microsoft Exchange Server allows an unauthorized attacker to perform spoofing over a network.

  • CVE-2026-26379MedJun 3, 2026
    risk 0.42cvss 6.5epss 0.00

    Koha versions up to 25.11 contain a Server-Side Request Forgery (SSRF) vulnerability via the Z39.50/SRU server configuration. This allows authenticated attackers to perform internal network scanning and identify running services by analyzing server response times.

  • CVE-2026-45619MedMay 29, 2026
    risk 0.42cvss 6.5epss 0.00

    WWBN AVideo is an open source video platform. In 29.0 and earlier, EpgParser.php, plugin/AI/receiveAsync.json.php, and other locations do not use the $resolvedIP out-param of isSSRFSafeURL() for DNS pinning via CURLOPT_RESOLVE, opening DNS-rebinding TOCTOU.

  • CVE-2026-9557MedMay 29, 2026
    risk 0.42cvss 6.4epss 0.00

    A Server-Side Request Forgery (SSRF) vulnerability exists in Mautic's Focus component. Due to insufficient validation of user-supplied URLs, an authenticated user can trigger outbound HTTP requests from the hosting server, enabling internal network reconnaissance or forcing…

  • CVE-2026-5737MedMay 28, 2026
    risk 0.42cvss 6.5epss 0.00

    The Independent Analytics plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 2.14.9. This is due to a public tracking route at /wp-json/iawp/search that accepts attacker-controlled referrer_url values when the signature…

  • CVE-2026-34207HigMay 22, 2026
    risk 0.42cvss 7.6epss 0.00

    TypeBot is a chatbot builder tool. In versions prior to 3.16.0, SSRF protection for Webhook / HTTP Request blocks validates only the URL string, blocked hostname literals, and literal IP formats. It does not resolve DNS before allowing the request. As a result, a hostname such…

  • CVE-2026-44439HigMay 13, 2026
    risk 0.42cvss 7.5epss 0.00

    PlaywrightCapture is a simple replacement for splash using playwright. Prior to 1.39.6, PlaywrightCapture did not sufficiently restrict navigations and resource requests initiated by rendered pages. An attacker-controlled page could abuse browser-side redirection mechanisms,…

  • CVE-2026-5773HigMay 13, 2026
    risk 0.42cvss 7.5epss 0.01

    libcurl might in some circumstances reuse the wrong connection for SMB(S) transfers. libcurl features a pool of recent connections so that subsequent requests can reuse an existing connection to avoid overhead. When reusing a connection a range of criteria must be met. Due to…

  • CVE-2026-40280HigMay 5, 2026
    risk 0.42cvss 7.5epss 0.00

    Gotenberg is an API-based document conversion tool. In versions 8.30.1 and earlier, the default private-IP deny-lists for the --webhook-deny-list and --api-download-from-deny-list flags use a case-sensitive regular expression (^https?://) to match URL schemes. Because Go's…

  • CVE-2026-42404MedMay 1, 2026
    risk 0.42cvss 6.5epss 0.01

    Apache Neethi does not impose any restrictions on URIs when manually fetching remote policy references through the PolicyReference API. When an application explicitly calls the API to retrieve a policy from a remote URI, an outbound request is made for arbitrary protocols and…

  • CVE-2026-3340MedApr 30, 2026
    risk 0.42cvss 6.5epss 0.00

    IBM Langflow Desktop 1.0.0 through 1.8.4 IBM Langflow is vulnerable to server-side request forgery (SSRF). This may allow an authenticated attacker to send unauthorized requests from the system, potentially leading to network enumeration or facilitating other attacks.

  • CVE-2026-36759MedApr 30, 2026
    risk 0.42cvss 6.5epss 0.00

    A Server-Side Request Forgery (SSRF) in the /themes/{name}/upgrade-from-uri endpoint of halo v2.22.14 allows authenticated attackers to scan internal resources via a crafted GET request.

  • CVE-2026-41912HigApr 28, 2026
    risk 0.42cvss 7.6epss 0.00

    OpenClaw before 2026.4.8 contains a server-side request forgery policy bypass vulnerability allowing attackers to trigger navigations bypassing normal SSRF checks. Attackers can exploit browser interactions to bypass SSRF protections and access restricted resources.

  • CVE-2026-41481MedApr 24, 2026
    risk 0.42cvss 6.5epss 0.00

    LangChain is a framework for building agents and LLM-powered applications. Prior to langchain-text-splitters 1.1.2, HTMLHeaderTextSplitter.split_text_from_url() validated the initial URL using validate_safe_url() but then performed the fetch with requests.get() with redirects…

  • CVE-2026-41302HigApr 21, 2026
    risk 0.42cvss 7.6epss 0.00

    OpenClaw before 2026.3.31 contains a server-side request forgery vulnerability in the marketplace plugin download functionality that allows remote attackers to make arbitrary network requests. Attackers can exploit unguarded fetch() calls to access internal resources or interact…