VYPR

CWE-918

Server-Side Request Forgery (SSRF)

BaseIncomplete

Description

The web server receives a URL or similar request from an upstream component and retrieves the contents of this URL, but it does not sufficiently ensure that the request is being sent to the expected destination.

Hierarchy (View 1000)

Parents

Children

none

Related attack patterns (CAPEC)

CAPEC-664

CVEs mapped to this weakness (1,583)

page 4 of 80
  • CVE-2024-47578CriDec 10, 2024
    risk 0.59cvss 9.1epss 0.01

    Adobe Document Service allows an attacker with administrator privileges to send a crafted request from a vulnerable web application. It is usually used to target internal systems behind firewalls that are normally inaccessible to an attacker from the external network, resulting…

  • CVE-2023-50913CriDec 5, 2024
    risk 0.59cvss 9.1epss 0.00

    Oxide control plane software before 5 allows SSRF.

  • CVE-2024-50811CriNov 8, 2024
    risk 0.59cvss 9.1epss 0.00

    hopetree izone lts c011b48 contains a server-side request forgery (SSRF) vulnerability in the active push function as \\apps\\tool\\apis\\bd_push.py does not securely filter user input through push_urls() and get_urls().

  • CVE-2024-29021CriApr 18, 2024
    risk 0.59cvss 9.0epss 0.20

    Judge0 is an open-source online code execution system. The default configuration of Judge0 leaves the service vulnerable to a sandbox escape via Server Side Request Forgery (SSRF). This allows an attacker with sufficient access to the Judge0 API to obtain unsandboxed code…

  • CVE-2024-25864CriApr 3, 2024
    risk 0.59cvss 9.1epss 0.01

    Server Side Request Forgery (SSRF) vulnerability in Friendica versions after v.2023.12, allows a remote attacker to execute arbitrary code and obtain sensitive information via the fpostit.php component.

  • CVE-2018-16444CriSep 4, 2018
    risk 0.59cvss 9.1epss 0.01

    An issue was discovered in SeaCMS 6.61. adm1n/admin_reslib.php has SSRF via the url parameter.

  • CVE-2017-14611CriApr 10, 2018
    risk 0.59cvss 9.1epss 0.02

    SSRF (Server Side Request Forgery) in Cockpit 0.13.0 allows remote attackers to read arbitrary files or send TCP traffic to intranet hosts via the url parameter, related to use of the discontinued aheinze/fetch_url_contents component.

  • CVE-2018-1000138CriMar 23, 2018
    risk 0.59cvss 9.1epss 0.02

    I, Librarian version 4.8 and earlier contains a SSRF vulnerability in "url" parameter of getFromWeb in functions.php that can result in the attacker abusing functionality on the server to read or update internal resources.

  • CVE-2026-5921HigApr 21, 2026
    risk 0.58cvss 8.9epss 0.00

    A server-side request forgery (SSRF) vulnerability was identified in GitHub Enterprise Server that allowed an attacker to extract sensitive environment variables from the instance through a timing side-channel attack against the notebook rendering service. When private mode was…

  • CVE-2026-32871CriApr 2, 2026
    risk 0.58cvss 10.0epss 0.01

    FastMCP is a Pythonic way to build MCP servers and clients. Prior to version 3.2.0, the OpenAPIProvider in FastMCP exposes internal APIs to MCP clients by parsing OpenAPI specifications. The RequestDirector class is responsible for constructing HTTP requests to the backend…

  • CVE-2026-34162CriMar 31, 2026
    risk 0.58cvss 10.0epss 0.00

    FastGPT is an AI Agent building platform. Prior to version 4.14.9.5, the FastGPT HTTP tools testing endpoint (/api/core/app/httpTools/runTool) is exposed without any authentication. This endpoint acts as a full HTTP proxy — it accepts a user-supplied baseUrl, toolPath, HTTP…

  • CVE-2025-54122CriJul 21, 2025
    risk 0.58cvss 10.0epss 0.01

    Manager-io/Manager is accounting software. A critical unauthenticated full read Server-Side Request Forgery (SSRF) vulnerability has been identified in the proxy handler component of both manager Desktop and Server edition versions up to and including 25.7.18.2519. This…

  • CVE-2018-3774CriAug 12, 2018
    risk 0.58cvss 10.0epss 0.04

    Incorrect parsing in url-parse <1.4.3 returns wrong hostname which leads to multiple vulnerabilities such as SSRF, Open Redirect, Bypass Authentication Protocol.

  • CVE-2026-45504HigJun 9, 2026
    risk 0.57cvss 8.8epss 0.00

    Server-side request forgery (ssrf) in Microsoft Exchange Server allows an authorized attacker to elevate privileges over a network.

  • CVE-2026-46391HigJun 5, 2026
    risk 0.57cvss epss 0.00

    HAX CMS helps manage microsite universe with PHP or NodeJs backends. Starting in version 9.0.1 and prior to version 26.0.0 of @haxtheweb/open-apis, multiple functions conduct substring-only matching to validate hostnames to which basic authorization should be sent. An attacker…

  • CVE-2026-43986CriJun 4, 2026
    risk 0.57cvss 9.9epss 0.00

    Tautulli is a Python based monitoring and tracking tool for Plex Media Server. Versions prior to 2.17.1 expose a public `/image/` route that resolves attacker-controlled entries from `image_hash_lookup` and replays them through the same server-side image fetch logic used…

  • CVE-2026-9813CriMay 28, 2026
    risk 0.57cvss 9.9epss 0.00

    FlowIntel up to version 3.3.0 contains a server-side request forgery (SSRF) vulnerability in the external reference URL probe functionality in app/case/task.py. An attacker who can submit an external reference URL can cause the application server to issue an HTTP HEAD request…

  • CVE-2026-30118CriMay 19, 2026
    risk 0.57cvss 9.8epss 0.00

    scalar/astro v0.1.13 was discovered to contain a Server-Side Request Forgery (SSRF) in the scalar_url query parameter of the Scalar Proxy endpoint. This vulnerability allows unauthenticated attackers to force the backend server to send HTTP requests to attacker-controlled URLs,…

  • CVE-2026-30810HigMay 12, 2026
    risk 0.57cvss 8.8epss 0.00

    Server-Side Request Forgery vulnerability allows Privilege Escalation via API Checker extension. This issue affects Pandora FMS: from 777 through 800

  • CVE-2026-42864CriMay 11, 2026
    risk 0.57cvss 9.9epss 0.00

    FireFighter is an incident management application. Prior to 0.0.54, the POST /api/v2/firefighter/raid/jira_bot endpoint (CreateJiraBotView) is reachable without authentication (permission_classes = [permissions.AllowAny]). Its attachments payload is fetched server-side via…