VYPR

CWE-918

Server-Side Request Forgery (SSRF)

BaseIncomplete

Description

The web server receives a URL or similar request from an upstream component and retrieves the contents of this URL, but it does not sufficiently ensure that the request is being sent to the expected destination.

Hierarchy (View 1000)

Parents

Children

none

Related attack patterns (CAPEC)

CAPEC-664

CVEs mapped to this weakness (1,583)

page 37 of 80
  • CVE-2026-6744MedApr 21, 2026
    risk 0.41cvss 6.3epss 0.00

    A vulnerability was found in Bagisto up to 2.3.15. Affected is the function copy of the component Downloadable Link Handler. The manipulation results in server-side request forgery. The attack may be launched remotely. The exploit has been made public and could be used. The…

  • CVE-2026-6649MedApr 20, 2026
    risk 0.41cvss 6.3epss 0.00

    A vulnerability was determined in Qibo CMS 1.0. Affected by this issue is some unknown functionality of the file /index/image/headers. Executing a manipulation of the argument starts can lead to server-side request forgery. The attack can be launched remotely. The exploit has…

  • CVE-2026-6618MedApr 20, 2026
    risk 0.41cvss 6.3epss 0.00

    A flaw has been found in langgenius dify up to 1.13.3. This issue affects the function parse_openai_plugin_json_to_tool_bundle of the file api/core/tools/utils/parser.py of the component ApiBasedToolSchemaParser. Executing a manipulation of the argument url can lead to…

  • CVE-2026-6616MedApr 20, 2026
    risk 0.41cvss 6.3epss 0.00

    A security vulnerability has been detected in TransformerOptimus SuperAGI up to 0.0.14. This affects the function extract_with_bs4/extract_with_3k/extract_with_lxml of the file superagi/helper/webpage_extractor.py of the component WebScraperTool. Such manipulation leads to…

  • CVE-2026-6587MedApr 20, 2026
    risk 0.41cvss 6.3epss 0.00

    A security flaw has been discovered in vibrantlabsai RAGAS up to 0.4.3. The affected element is the function _try_process_local_file/_try_process_url of the file src/ragas/metrics/collections/multi_modal_faithfulness/util.py of the component Collections Module. Performing a…

  • CVE-2026-6573MedApr 19, 2026
    risk 0.41cvss 6.3epss 0.00

    A vulnerability was detected in PHPEMS 11.0. This affects the function temppage of the file /app/exam/controller/exams.master.php of the component Instant Exam Creation Handler. The manipulation of the argument uploadfile results in server-side request forgery. The attack can be…

  • CVE-2026-6497MedApr 17, 2026
    risk 0.41cvss 6.3epss 0.00

    A vulnerability was determined in prasathmani TinyFileManager up to 2.6. Affected by this vulnerability is an unknown functionality of the file /filemanager.php?p= ajax=true&type=upload of the component File Upload Handler. This manipulation of the argument uploadurl causes…

  • CVE-2026-6215MedApr 13, 2026
    risk 0.41cvss 6.3epss 0.00

    A weakness has been identified in DbGate up to 7.1.4. The impacted element is the function apiServerUrl1 of the file packages/rest/src/openApiDriver.ts of the component REST/GraphQL. This manipulation causes server-side request forgery. The attack may be initiated remotely. The…

  • CVE-2026-35629HigApr 9, 2026
    risk 0.41cvss 7.4epss 0.00

    OpenClaw before 2026.3.25 contains a server-side request forgery vulnerability in multiple channel extensions that fail to properly guard configured base URLs against SSRF attacks. Attackers can exploit unprotected fetch() calls against configured endpoints to rebind requests to…

  • CVE-2026-5623MedApr 6, 2026
    risk 0.41cvss 6.3epss 0.00

    A vulnerability was identified in hcengineering Huly Platform 0.7.382. This affects an unknown part of the file server/front/src/index.ts of the component Import Endpoint. Such manipulation leads to server-side request forgery. The attack can be launched remotely. The exploit is…

  • CVE-2026-5607MedApr 6, 2026
    risk 0.41cvss 6.3epss 0.00

    A security vulnerability has been detected in imprvhub mcp-browser-agent up to 0.8.0. This impacts the function CallToolRequestSchema of the file src/handlers.ts of the component URL Parameter Handler. The manipulation of the argument request.params.name/request.params.arguments…

  • CVE-2026-5538MedApr 5, 2026
    risk 0.41cvss 6.3epss 0.00

    A vulnerability was detected in QingdaoU OnlineJudge up to 1.6.1. Affected by this issue is the function service_url of the file JudgeServer.service_url of the component judge_server_heartbeat Endpoint. The manipulation results in server-side request forgery. It is possible to…

  • CVE-2026-5530MedApr 5, 2026
    risk 0.41cvss 6.3epss 0.00

    A flaw has been found in Ollama up to 18.1. This issue affects some unknown processing of the file server/download.go of the component Model Pull API. Executing a manipulation can lead to server-side request forgery. The attack can be launched remotely. The vendor was contacted…

  • CVE-2026-5470MedApr 3, 2026
    risk 0.41cvss 6.3epss 0.00

    A security vulnerability has been detected in mixelpixx Google-Research-MCP 1e062d7bd887bfe5f6e582b6cc288bb897b35cf2/ca613b736ab787bc926932f59cddc69457185a83. This issue affects the function extractContent of the file src/services/content-extractor.service.ts of the component…

  • CVE-2026-5259MedApr 1, 2026
    risk 0.41cvss 6.3epss 0.00

    A vulnerability was determined in AutohomeCorp frostmourne up to 1.0. The affected element is an unknown function of the file frostmourne-monitor/src/main/java/com/autohome/frostmourne/monitor/controller/AlarmController.java of the component Alarm Preview. Executing a…

  • CVE-2026-5205MedMar 31, 2026
    risk 0.41cvss 6.3epss 0.00

    A vulnerability was identified in chatwoot up to 4.11.2. Affected by this vulnerability is the function Webhooks::Trigger in the library lib/webhooks/trigger.rb of the component Webhook API. Such manipulation of the argument url leads to server-side request forgery. The attack…

  • CVE-2026-5126MedMar 30, 2026
    risk 0.41cvss 6.3epss 0.00

    A flaw has been found in SourceCodester RSS Feed Parser 1.0. Affected by this issue is the function file_get_contents. This manipulation causes server-side request forgery. The attack is possible to be carried out remotely. The exploit has been published and may be used.

  • CVE-2026-4964MedMar 27, 2026
    risk 0.41cvss 6.3epss 0.00

    A security vulnerability has been detected in letta-ai letta 0.16.4. This vulnerability affects the function _convert_message_create_to_message of the file letta/helpers/message_helper.py of the component File URL Handler. Such manipulation of the argument ImageContent leads to…

  • CVE-2026-4907MedMar 27, 2026
    risk 0.41cvss 6.3epss 0.00

    A vulnerability was identified in Page-Replica Page Replica up to e4a7f52e75093ee318b4d5a9a9db6751050d2ad0. The impacted element is the function sitemap.fetch of the file /sitemap of the component Endpoint. The manipulation of the argument url leads to server-side request…

  • CVE-2026-4589MedMar 23, 2026
    risk 0.41cvss 6.3epss 0.00

    A vulnerability was identified in kalcaddle kodbox 1.64. The affected element is the function PathDriverUrl of the file /workspace/source-code/app/controller/explorer/editor.class.php of the component fileGet Endpoint. Such manipulation of the argument path leads to server-side…