VYPR

CWE-918

Server-Side Request Forgery (SSRF)

BaseIncomplete

Description

The web server receives a URL or similar request from an upstream component and retrieves the contents of this URL, but it does not sufficiently ensure that the request is being sent to the expected destination.

Hierarchy (View 1000)

Parents

Children

none

Related attack patterns (CAPEC)

CAPEC-664

CVEs mapped to this weakness (1,583)

page 41 of 80
  • CVE-2019-7911HigAug 2, 2019
    risk 0.40cvss 7.2epss 0.01

    A server-side request forgery (SSRF) vulnerability exists in Magento Open Source prior to 1.9.4.2, and Magento Commerce prior to 1.14.4.2, Magento 2.1 prior to 2.1.18, Magento 2.2 prior to 2.2.9, Magento 2.3 prior to 2.3.2. This can be exploited by an authenticated user with…

  • CVE-2019-7892HigAug 2, 2019
    risk 0.40cvss 7.2epss 0.02

    A remote code execution vulnerability exists in Magento 2.1 prior to 2.1.18, Magento 2.2 prior to 2.2.9, Magento 2.3 prior to 2.3.2. An authenticated user with administrator privileges to access shipment settings can execute arbitrary code via server-side request forgery.

  • CVE-2018-1042MedJan 22, 2018
    risk 0.40cvss 6.5epss 0.16

    Moodle 3.x has Server Side Request Forgery in the filepicker.

  • CVE-2026-47735higJun 8, 2026
    risk 0.39cvss epss 0.00

    ### Summary Arc's user-SQL validator (`internal/api/query.go:ValidateSQLRequest`) blocked only `read_parquet(` and `arc_partition_agg(` via regex denylist. The broader DuckDB I/O function family — `read_csv_auto`, `read_csv`, `read_json`, `read_json_auto`, `read_text`,…

  • CVE-2026-49139HigJun 1, 2026
    risk 0.39cvss epss 0.00

    Nanobot prior to version 0.2.1 contains a server-side request forgery vulnerability in the Microsoft Teams channel handler that allows remote attackers to exfiltrate Bot Framework bearer tokens by supplying a forged activity with an attacker-controlled serviceUrl value.…

  • CVE-2026-2393HigMay 11, 2026
    risk 0.39cvss 7.1epss 0.00

    A Server-Side Request Forgery (SSRF) vulnerability exists in MLflow versions prior to 3.9.0. The `_create_webhook()` function in `mlflow/server/handlers.py` accepts a user-controlled `url` parameter without validation, and the `_send_webhook_request()` function in…

  • CVE-2026-41689MedMay 7, 2026
    risk 0.39cvss 6.0epss 0.00

    Wallos is an open-source, self-hostable personal subscription tracker. In versions 4.8.4 and prior, the webhook notification feature reuses an administrator-configured local-target allowlist for every logged-in user. Any normal user can fully control a webhook URL, headers, and…

  • CVE-2026-41644HigMay 7, 2026
    risk 0.39cvss 7.1epss 0.00

    monetr is a budgeting application for recurring expenses. Prior to version 1.12.5, a server-side request forgery (SSRF) vulnerability in monetr's Lunch Flow integration allowed any authenticated user on a self-hosted instance to cause the monetr server to issue HTTP GET requests…

  • CVE-2026-41361HigApr 23, 2026
    risk 0.39cvss 7.1epss 0.00

    OpenClaw before 2026.3.28 contains an SSRF guard bypass vulnerability that fails to block four IPv6 special-use ranges. Attackers can exploit this by crafting URLs targeting internal or non-routable IPv6 addresses to bypass SSRF protections.

  • CVE-2026-34476HigApr 13, 2026
    risk 0.39cvss 7.1epss 0.00

    Server-Side Request Forgery via SW-URL Header vulnerability in Apache SkyWalking MCP. This issue affects Apache SkyWalking MCP: 0.1.0. Users are recommended to upgrade to version 0.2.0, which fixes this issue.

  • CVE-2026-39362HigApr 8, 2026
    risk 0.39cvss 7.1epss 0.00

    InvenTree is an Open Source Inventory Management System. Prior to 1.2.7 and 1.3.0, when INVENTREE_DOWNLOAD_FROM_URL is enabled (opt-in), authenticated users can supply remote_image URLs that are fetched server-side via requests.get() with only Django's URLValidator check. There…

  • CVE-2026-39670MedApr 8, 2026
    risk 0.39cvss 6.0epss 0.00

    Server-Side Request Forgery (SSRF) vulnerability in Brecht Visual Link Preview visual-link-preview allows Server Side Request Forgery.This issue affects Visual Link Preview: from n/a through <= 2.3.0.

  • CVE-2025-6242HigOct 7, 2025
    risk 0.39cvss 7.1epss 0.00

    A Server-Side Request Forgery (SSRF) vulnerability exists in the MediaConnector class within the vLLM project's multimodal feature set. The load_from_url and load_from_url_async methods fetch and process media from user-provided URLs without adequate restrictions on the target…

  • CVE-2025-22374MedApr 10, 2025
    risk 0.39cvss epss 0.00

    A Server-Side Request Forgery (SSRF) vulnerability was discovered in the videx-legacy-ssl web service of Videx’s CyberAudit-Web, affecting versions prior to 1.1.3. This vulnerability has been patched in versions after 1.1.3. Leaving this vulnerability unpatched could lead to…

  • CVE-2022-44729HigAug 22, 2023
    risk 0.39cvss 7.1epss 0.01

    Server-Side Request Forgery (SSRF) vulnerability in Apache Software Foundation Apache XML Graphics Batik.This issue affects Apache XML Graphics Batik: 1.16. On version 1.16, a malicious SVG could trigger loading external resources by default, causing resource consumption or in…

  • CVE-2023-40033HigAug 16, 2023
    risk 0.39cvss 7.1epss 0.00

    Flarum is an open source forum software. Flarum is affected by a vulnerability that allows an attacker to conduct a Blind Server-Side Request Forgery (SSRF) attack or disclose any file on the server, even with a basic user account on any Flarum forum. By uploading a file…

  • CVE-2022-36551MedOct 3, 2022
    risk 0.39cvss 6.5epss 0.05

    A Server Side Request Forgery (SSRF) in the Data Import module in Heartex - Label Studio Community Edition versions 1.5.0 and earlier allows an authenticated user to access arbitrary files on the system. Furthermore, self-registration is enabled by default in these versions of…

  • CVE-2026-55229higJun 18, 2026
    risk 0.38cvss epss

    **Summary** Server-Side Request Forgery (SSRF) vulnerability affecting the `/forms/libreoffice/convert` endpoint in Gotenberg v8.33.0 running with the default configuration. By uploading a specially crafted DOCX document, an attacker can cause LibreOffice to automatically…

  • CVE-2026-54017higJun 17, 2026
    risk 0.38cvss epss 0.00

    ### Summary The terminal-server reverse proxy in `backend/open_webui/routers/terminals.py` does not fully confine the user-controlled `path` segment before forwarding it to an admin-configured terminal server. An authenticated user who has been granted access to a terminal…

  • CVE-2026-54008higJun 17, 2026
    risk 0.38cvss epss 0.00

    ## Summary `backend/open_webui/utils/oauth.py::_process_picture_url` (v0.9.5, lines 1435-1470) calls `validate_url(picture_url)` on the initial URL only, then invokes `aiohttp.ClientSession.get(picture_url, ...)` without `allow_redirects=False`. aiohttp's default is…