VYPR

CWE-918

Server-Side Request Forgery (SSRF)

BaseIncomplete

Description

The web server receives a URL or similar request from an upstream component and retrieves the contents of this URL, but it does not sufficiently ensure that the request is being sent to the expected destination.

Hierarchy (View 1000)

Parents

Children

none

Related attack patterns (CAPEC)

CAPEC-664

CVEs mapped to this weakness (1,583)

page 38 of 80
  • CVE-2026-32019HigMar 19, 2026
    risk 0.41cvss 7.4epss 0.00

    OpenClaw versions prior to 2026.2.22 contain incomplete IPv4 special-use range validation in the isPrivateIpv4() function, allowing requests to RFC-reserved ranges to bypass SSRF policy checks. Attackers with network reachability to special-use IPv4 ranges can exploit web_fetch…

  • CVE-2026-4308MedMar 17, 2026
    risk 0.41cvss 6.3epss 0.00

    A weakness has been identified in frdel/agent0ai agent-zero 0.9.7. This affects the function handle_pdf_document of the file python/helpers/document_query.py. This manipulation causes server-side request forgery. The attack is possible to be carried out remotely. The exploit has…

  • CVE-2026-4215MedMar 16, 2026
    risk 0.41cvss 6.3epss 0.00

    A security flaw has been discovered in FlowCI flow-core-x up to 1.23.01. The impacted element is the function Save of the file core/src/main/java/com/flowci/core/config/service/ConfigServiceImpl.java of the component SMTP Host Handler. The manipulation results in server-side…

  • CVE-2026-3966MedMar 12, 2026
    risk 0.41cvss 6.3epss 0.00

    A vulnerability was detected in 648540858 wvp-GB28181-pro up to 2.7.4-20260107. Affected by this vulnerability is the function getDownloadFilePath of the file /src/main/java/com/genersoft/iot/vmp/media/abl/ABLMediaNodeServerService.java of the component IP Address Handler. The…

  • CVE-2026-3961MedMar 11, 2026
    risk 0.41cvss 6.3epss 0.00

    A vulnerability was determined in zyddnys manga-image-translator up to beta-0.3. The affected element is the function to_pil_image of the file manga-image-translator-main/server/request_extraction.py of the component Translate Endpoints. This manipulation causes server-side…

  • CVE-2026-3958MedMar 11, 2026
    risk 0.41cvss 6.3epss 0.00

    A vulnerability has been found in Woahai321 ListSync up to 0.6.6. This issue affects the function requests.post of the file list-sync-main/api_server.py of the component JSON Handler. The manipulation leads to server-side request forgery. The attack is possible to be carried out…

  • CVE-2026-3789MedMar 9, 2026
    risk 0.41cvss 6.3epss 0.00

    A vulnerability was detected in Bytedesk up to 1.3.9. Affected is the function getModels of the file source-code/src/main/java/com/bytedesk/ai/springai/providers/gitee/SpringAIGiteeRestService.java of the component SpringAIGiteeRestController. Performing a manipulation of the…

  • CVE-2026-3788MedMar 9, 2026
    risk 0.41cvss 6.3epss 0.00

    A security vulnerability has been detected in Bytedesk up to 1.3.9. This impacts the function getModels of the file source-code/src/main/java/com/bytedesk/ai/springai/providers/openrouter/SpringAIOpenrouterRestService.java of the component SpringAIOpenrouterRestController. Such…

  • CVE-2026-3733MedMar 8, 2026
    risk 0.41cvss 6.3epss 0.00

    A vulnerability was detected in xuxueli xxl-job up to 3.3.2. This impacts an unknown function of the file source-code/src/main/java/com/xxl/job/admin/controller/JobInfoController.java. The manipulation results in server-side request forgery. It is possible to launch the attack…

  • CVE-2026-3683MedMar 8, 2026
    risk 0.41cvss 6.3epss 0.00

    A vulnerability was detected in bufanyun HotGo up to 2.0. This issue affects the function ImageTransferStorage of the file /server/internal/logic/common/upload.go of the component Endpoint. The manipulation results in server-side request forgery. The attack may be launched…

  • CVE-2026-3681MedMar 7, 2026
    risk 0.41cvss 6.3epss 0.00

    A weakness has been identified in welovemedia FFmate up to 2.0.15. This affects the function fireWebhook of the file /internal/service/webhook/webhook.go. Executing a manipulation can lead to server-side request forgery. The attack can be launched remotely. The exploit has been…

  • CVE-2026-3286MedFeb 27, 2026
    risk 0.41cvss 6.3epss 0.00

    A vulnerability was identified in itwanger paicoding 1.0.0/1.0.1/1.0.2/1.0.3. The impacted element is the function Save of the file paicoding-web/src/main/java/com/github/paicoding/forum/web/common/image/rest/ImageRestController.java of the component Image Save Endpoint. Such…

  • CVE-2026-3270MedFeb 27, 2026
    risk 0.41cvss 6.3epss 0.00

    A vulnerability has been found in psi-probe PSI Probe up to 5.3.0. This affects the function lookup of the file psi-probe-core/src/main/java/psiprobe/tools/Whois.java of the component Whois. The manipulation leads to server-side request forgery. The attack may be initiated…

  • CVE-2026-3163MedFeb 25, 2026
    risk 0.41cvss 6.3epss 0.00

    A vulnerability has been found in SourceCodester Website Link Extractor 1.0. This vulnerability affects the function file_get_contents of the component URL Handler. The manipulation leads to server-side request forgery. It is possible to initiate the attack remotely. The exploit…

  • CVE-2026-3052MedFeb 24, 2026
    risk 0.41cvss 6.3epss 0.00

    A vulnerability was found in DataLinkDC dinky up to 1.2.5. The impacted element is the function proxyUba of the file dinky-admin/src/main/java/org/dinky/controller/FlinkProxyController.java of the component Flink Proxy Controller. Performing a manipulation results in server-side…

  • CVE-2026-2985MedFeb 23, 2026
    risk 0.41cvss 6.3epss 0.00

    A security flaw has been discovered in Tiandy Video Surveillance System 视频监控平台 7.17.0. This impacts the function downloadImage of the file /com/tiandy/easy7/core/bo/CLSBODownLoad.java. Performing a manipulation of the argument urlPath results in server-side request…

  • CVE-2026-2945MedFeb 22, 2026
    risk 0.41cvss 6.3epss 0.00

    A weakness has been identified in JeecgBoot 3.9.0. Affected by this vulnerability is an unknown functionality of the file /sys/common/uploadImgByHttp. Executing a manipulation of the argument fileUrl can lead to server-side request forgery. The attack may be launched remotely.…

  • CVE-2026-2654MedFeb 18, 2026
    risk 0.41cvss 6.3epss 0.00

    A weakness has been identified in huggingface smolagents 1.24.0. Impacted is the function requests.get/requests.post of the component LocalPythonExecutor. Executing a manipulation can lead to server-side request forgery. It is possible to launch the attack remotely. The exploit…

  • CVE-2026-2558MedFeb 16, 2026
    risk 0.41cvss 6.3epss 0.00

    A flaw has been found in GeekAI up to 4.2.4. The affected element is the function Download of the file api/handler/net_handler.go. This manipulation of the argument url causes server-side request forgery. Remote exploitation of the attack is possible. The exploit has been…

  • CVE-2026-2556MedFeb 16, 2026
    risk 0.41cvss 6.3epss 0.00

    A security vulnerability has been detected in cskefu up to 8.0.1. This issue affects some unknown processing of the file com/cskefu/cc/controller/resource/MediaController.java of the component Endpoint. The manipulation of the argument url leads to server-side request forgery.…