VYPR

CWE-918

Server-Side Request Forgery (SSRF)

BaseIncomplete

Description

The web server receives a URL or similar request from an upstream component and retrieves the contents of this URL, but it does not sufficiently ensure that the request is being sent to the expected destination.

Hierarchy (View 1000)

Parents

Children

none

Related attack patterns (CAPEC)

CAPEC-664

CVEs mapped to this weakness (1,583)

page 42 of 80
  • CVE-2026-53755higJun 16, 2026
    risk 0.38cvss epss 0.00

    ### Summary The Docker API server applied its SSRF destination check to the crawl target URL only, not to the proxy address. An unauthenticated request could supply a proxy pointing at an internal IP and route the browser through it, reaching internal services and…

  • CVE-2026-53754higJun 16, 2026
    risk 0.38cvss epss 0.00

    ### Summary The Docker API server's SSRF protection (`validate_webhook_url` / `validate_url_destination` in `deploy/docker/utils.py`) used an explicit IPv4/IPv6 CIDR blocklist that missed several address families. An attacker could reach internal services and cloud metadata…

  • CVE-2026-48818higJun 15, 2026
    risk 0.38cvss epss 0.00

    ### Summary When serving static files on Windows, `StaticFiles` resolves the requested path with [`os.path.realpath`](https://docs.python.org/3/library/os.path.html#os.path.realpath). If a UNC path (such as `\\attacker.com\share`) reaches the resolver, `realpath` causes the…

  • CVE-2026-50168higJun 15, 2026
    risk 0.38cvss epss 0.00

    An issue in the `@angular/platform-server` package allows remote attackers to bypass host allowlist constraints and direct server-side outgoing requests to arbitrary external endpoints. This occurs due to a parser differential between the strict WHATWG URL parser used for…

  • CVE-2026-46683MedJun 10, 2026
    risk 0.38cvss epss 0.00

    Snappy is a PHP library allowing thumbnail, snapshot or PDF generation from a url or a html page. Prior to version 1.7.0, there is a SSRF and local file read vulnerability via the xsl-style-sheet option. This issue has been patched in version 1.7.0.

  • CVE-2026-44023higJun 3, 2026
    risk 0.38cvss epss 0.00

    ### Impact In versions `>= 1.5.0, < 2.74.1`, `docling-core` did not sufficiently restrict remote request destinations and could resolve a server-provided `Content-Disposition` to a local path in an unsafe manner. In applications that accept untrusted URLs, this could allow SSRF…

  • CVE-2026-44016higJun 3, 2026
    risk 0.38cvss epss 0.00

    ### Impact In versions `>= 2.82.0, < 2.91.0`, if the HTML backend was explicitly configured for rendering (rendering option by default deactivated), then the Playwright-based rendering feature could allow JavaScript execution and unrestricted network access when processing…

  • CVE-2026-10517MedJun 1, 2026
    risk 0.38cvss 5.8epss 0.00

    A flaw was found in Clair. The fetcher component makes outbound HTTP requests to attacker-supplied URIs from manifest layer descriptors without IP or scheme filtering. When PSK authentication is not configured (opt-in, not enforced by default), an unauthenticated attacker can…

  • CVE-2026-8606MedMay 27, 2026
    risk 0.38cvss 5.9epss 0.00

    A Server-Side Request Forgery (SSRF) vulnerability was identified in GitHub Enterprise Server that allowed an attacker to cause the server to issue HTTP requests to internal services via the security advisories package lookup feature. By directing requests to an internal…

  • CVE-2026-46417higMay 19, 2026
    risk 0.38cvss epss 0.00

    ### Impact A Server-Side Request Forgery (SSRF) vulnerability exists in `@angular/platform-server`. The issue stems from how the server-side rendering (SSR) engine processes the request URL provided to the rendering entry points. When an absolute-form URL (e.g.,…

  • CVE-2026-41682MedMay 8, 2026
    risk 0.38cvss epss 0.00

    pupnp is an SDK for development of UPnP device and control point applications. Prior to version 1.18.5, pupnp is vulnerable to SRRF port confusion due to port truncation via atoi() cast in parse_uri(). This issue has been patched in version 1.18.5.

  • CVE-2026-3881MedMar 31, 2026
    risk 0.38cvss 5.8epss 0.00

    The Performance Monitor WordPress plugin through 1.0.6 does not validate a parameter before making a request to it, which could allow unauthenticated users to perform SSRF attacks

  • CVE-2026-4366MedMar 18, 2026
    risk 0.38cvss 5.8epss 0.00

    A flaw was identified in Keycloak, an identity and access management solution, where it improperly follows HTTP redirects when processing certain client configuration requests. This behavior allows an attacker to trick the server into making unintended requests to internal or…

  • CVE-2026-25870MedFeb 10, 2026
    risk 0.38cvss 5.8epss 0.00

    DoraCMS version 3.1 and prior contains a server-side request forgery (SSRF) vulnerability in its UEditor remote image fetch functionality. The application accepts user-supplied URLs and performs server-side HTTP or HTTPS requests without sufficient validation or destination…

  • CVE-2026-25528MedFeb 9, 2026
    risk 0.38cvss 5.8epss 0.00

    LangSmith Client SDKs provide SDK's for interacting with the LangSmith platform. The LangSmith SDK's distributed tracing feature is vulnerable to Server-Side Request Forgery via malicious HTTP headers. An attacker can inject arbitrary api_url values through the baggage header,…

  • CVE-2026-25904MedFeb 9, 2026
    risk 0.38cvss 5.8epss 0.00

    The Pydantic-AI MCP Run Python tool configures the Deno sandbox with an overly permissive configuration that allows the underlying Python code to access the localhost interface of the host to perform SSRF attacks. Note - the "mcp-run-python" project is archived and unlikely to…

  • CVE-2026-1180MedJan 20, 2026
    risk 0.38cvss 5.8epss 0.00

    A flaw was identified in Keycloak’s OpenID Connect Dynamic Client Registration feature when clients authenticate using private_key_jwt. The issue allows a client to specify an arbitrary jwks_uri, which Keycloak then retrieves without validating the destination. This enables…

  • CVE-2025-11467MedDec 11, 2025
    risk 0.38cvss 5.8epss 0.00

    The RSS Aggregator by Feedzy – Feed to Post, Autoblogging, News & YouTube Video Feeds Aggregator plugin for WordPress is vulnerable to Blind Server-Side Request Forgery in all versions up to, and including, 5.1.1 via the feedzy_lazy_load function. This makes it possible for…

  • CVE-2025-11427MedNov 18, 2025
    risk 0.38cvss 5.8epss 0.00

    The WP Migrate Lite – WordPress Migration Made Easy plugin for WordPress is vulnerable to Blind Server-Side Request Forgery in all versions up to, and including, 2.7.6 via the wpmdb_flush AJAX action. This makes it possible for unauthenticated attackers to make web requests to…

  • CVE-2025-60898MedOct 29, 2025
    risk 0.38cvss 5.8epss 0.00

    An unauthenticated server-side request forgery (SSRF) vulnerability in the Thumbnail via-uri endpoint of Halo CMS 2.21 allows a remote attacker to cause the server to issue HTTP requests to attacker-controlled URLs, including internal addresses. The endpoint performs a…