VYPR

CWE-918

Server-Side Request Forgery (SSRF)

BaseIncomplete

Description

The web server receives a URL or similar request from an upstream component and retrieves the contents of this URL, but it does not sufficiently ensure that the request is being sent to the expected destination.

Hierarchy (View 1000)

Parents

Children

none

Related attack patterns (CAPEC)

CAPEC-664

CVEs mapped to this weakness (1,583)

page 43 of 80
  • CVE-2026-42038MedApr 24, 2026
    risk 0.37cvss 6.8epss 0.00

    Axios is a promise based HTTP client for the browser and Node.js. Prior to 1.15.1 and 0.31.1, he fix for no_proxy hostname normalization bypass is incomplete. When no_proxy=localhost is set, requests to 127.0.0.1 and [::1] still route through the proxy instead of bypassing it.…

  • CVE-2026-33486MedMar 26, 2026
    risk 0.37cvss 6.8epss 0.00

    Roadiz is a polymorphic content management system based on a node system that can handle many types of services. A vulnerability in roadiz/documents prior to versions 2.7.9, 2.6.28, 2.5.44, and 2.3.42 allows an authenticated attacker to read any file on the server's local file…

  • CVE-2025-12136MedOct 24, 2025
    risk 0.37cvss 6.8epss 0.00

    The Real Cookie Banner: GDPR & ePrivacy Cookie Consent plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 5.2.4. This is due to insufficient validation on the user-supplied URL in the '/scanner/scan-without-login' REST API…

  • CVE-2026-39464MedApr 8, 2026
    risk 0.36cvss 5.5epss 0.00

    Server-Side Request Forgery (SSRF) vulnerability in SeedProd Coming Soon Page, Under Construction & Maintenance Mode by SeedProd coming-soon allows Server Side Request Forgery.This issue affects Coming Soon Page, Under Construction & Maintenance Mode by SeedProd: from n/a…

  • CVE-2026-5618MedApr 6, 2026
    risk 0.36cvss 5.6epss 0.00

    A vulnerability was detected in kalcaddle kodbox up to 1.64. This affects an unknown function of the component shareMake/shareCheck. Performing a manipulation of the argument siteFrom/siteTo results in server-side request forgery. The attack is possible to be carried out…

  • CVE-2026-25385MedFeb 19, 2026
    risk 0.36cvss 5.5epss 0.00

    Server-Side Request Forgery (SSRF) vulnerability in KaizenCoders URL Shortify url-shortify allows Server Side Request Forgery.This issue affects URL Shortify: from n/a through <= 1.12.3.

  • CVE-2026-2711MedFeb 19, 2026
    risk 0.36cvss 5.6epss 0.00

    A vulnerability has been found in zhutoutoutousan worldquant-miner up to 1.0.9. The impacted element is an unknown function of the file worldquant-miner-master/agent-dify-api/core/helper/ssrf_proxy.py of the component URL Handler. The manipulation of the argument make_request…

  • CVE-2026-0745MedFeb 14, 2026
    risk 0.36cvss 5.5epss 0.00

    The User Language Switch plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 1.6.10 due to missing URL validation on the 'download_language()' function. This makes it possible for authenticated attackers, with…

  • CVE-2025-10874MedOct 24, 2025
    risk 0.36cvss 5.5epss 0.00

    The Orbit Fox: Duplicate Page, Menu Icons, SVG Support, Cookie Notice, Custom Fonts & More WordPress plugin before 3.0.2 does not limit URLs which may be used for the stock photo import feature, allowing the user to specify arbitrary URLs. This leads to a server-side request…

  • CVE-2025-11648MedOct 12, 2025
    risk 0.36cvss 5.6epss 0.00

    A vulnerability has been found in Tomofun Furbo 360 and Furbo Mini. Impacted is an unknown function of the file TF_FQDN.json of the component GATT Interface URL Handler. Such manipulation leads to server-side request forgery. The attack may be performed from remote. Attacks of…

  • CVE-2025-53241MedAug 14, 2025
    risk 0.36cvss 5.5epss 0.00

    Server-Side Request Forgery (SSRF) vulnerability in kodeshpa Simplified simplified allows Server Side Request Forgery.This issue affects Simplified: from n/a through <= 1.0.11.

  • CVE-2025-5818MedJul 23, 2025
    risk 0.36cvss 5.5epss 0.00

    The Featured Image Plus – Quick & Bulk Edit with Unsplash plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 1.6.6 via the fip_get_image_options() function. This makes it possible for authenticated attackers, with…

  • CVE-2024-13940MedMay 14, 2025
    risk 0.36cvss 5.5epss 0.00

    The Ninja Forms Webhooks plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 3.0.7 via the form webhook functionality. This makes it possible for authenticated attackers, with Administrator-level access and above, to make web…

  • CVE-2025-47635MedMay 7, 2025
    risk 0.36cvss 5.5epss 0.00

    Server-Side Request Forgery (SSRF) vulnerability in WPWebinarSystem WebinarPress wp-webinarsystem allows Server Side Request Forgery.This issue affects WebinarPress: from n/a through <= 1.33.28.

  • CVE-2024-13879MedFeb 17, 2025
    risk 0.36cvss 5.5epss 0.00

    The Stream plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 4.0.2 due to insufficient validation on the webhook feature. This makes it possible for authenticated attackers, with administrator-level access and above, to make…

  • CVE-2024-40441MedSep 23, 2024
    risk 0.36cvss 6.6epss 0.01

    An issue in Doccano Open source annotation tools for machine learning practitioners v.1.8.4 and Doccano Auto Labeling Pipeline module to annotate a document automatically v.0.1.23 allows a remote attacker to escalate privileges via the model_attribs parameter.

  • CVE-2024-31229MedApr 18, 2024
    risk 0.36cvss 5.5epss 0.00

    Server-Side Request Forgery (SSRF) vulnerability in Really Simple Plugins Really Simple SSL.This issue affects Really Simple SSL: from n/a through 7.2.3.

  • CVE-2023-50374MedMar 28, 2024
    risk 0.36cvss 5.5epss 0.00

    Server-Side Request Forgery (SSRF) vulnerability in NiteoThemes CMP – Coming Soon & Maintenance.This issue affects CMP – Coming Soon & Maintenance: from n/a through 4.1.10.

  • CVE-2022-40312MedDec 18, 2023
    risk 0.36cvss 5.5epss 0.00

    Server-Side Request Forgery (SSRF) vulnerability in GiveWP GiveWP – Donation Plugin and Fundraising Platform.This issue affects GiveWP – Donation Plugin and Fundraising Platform: from n/a through 2.25.1.

  • CVE-2023-38515MedNov 13, 2023
    risk 0.36cvss 5.5epss 0.00

    Server-Side Request Forgery (SSRF) vulnerability in Andy Moyle Church Admin.This issue affects Church Admin: from n/a through 3.7.56.