CWE-918
Server-Side Request Forgery (SSRF)
Description
The web server receives a URL or similar request from an upstream component and retrieves the contents of this URL, but it does not sufficiently ensure that the request is being sent to the expected destination.
Hierarchy (View 1000)
Parents
Children
none
Related attack patterns (CAPEC)
CAPEC-664
CVEs mapped to this weakness (1,583)
page 43 of 80| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2026-42038 | Med | 0.37 | 6.8 | 0.00 | Apr 24, 2026 | Axios is a promise based HTTP client for the browser and Node.js. Prior to 1.15.1 and 0.31.1, he fix for no_proxy hostname normalization bypass is incomplete. When no_proxy=localhost is set, requests to 127.0.0.1 and [::1] still route through the proxy instead of bypassing it.… | ||
| CVE-2026-33486 | Med | 0.37 | 6.8 | 0.00 | Mar 26, 2026 | Roadiz is a polymorphic content management system based on a node system that can handle many types of services. A vulnerability in roadiz/documents prior to versions 2.7.9, 2.6.28, 2.5.44, and 2.3.42 allows an authenticated attacker to read any file on the server's local file… | ||
| CVE-2025-12136 | Med | 0.37 | 6.8 | 0.00 | Oct 24, 2025 | The Real Cookie Banner: GDPR & ePrivacy Cookie Consent plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 5.2.4. This is due to insufficient validation on the user-supplied URL in the '/scanner/scan-without-login' REST API… | ||
| CVE-2026-39464 | Med | 0.36 | 5.5 | 0.00 | Apr 8, 2026 | Server-Side Request Forgery (SSRF) vulnerability in SeedProd Coming Soon Page, Under Construction & Maintenance Mode by SeedProd coming-soon allows Server Side Request Forgery.This issue affects Coming Soon Page, Under Construction & Maintenance Mode by SeedProd: from n/a… | ||
| CVE-2026-5618 | Med | 0.36 | 5.6 | 0.00 | Apr 6, 2026 | A vulnerability was detected in kalcaddle kodbox up to 1.64. This affects an unknown function of the component shareMake/shareCheck. Performing a manipulation of the argument siteFrom/siteTo results in server-side request forgery. The attack is possible to be carried out… | ||
| CVE-2026-25385 | Med | 0.36 | 5.5 | 0.00 | Feb 19, 2026 | Server-Side Request Forgery (SSRF) vulnerability in KaizenCoders URL Shortify url-shortify allows Server Side Request Forgery.This issue affects URL Shortify: from n/a through <= 1.12.3. | ||
| CVE-2026-2711 | Med | 0.36 | 5.6 | 0.00 | Feb 19, 2026 | A vulnerability has been found in zhutoutoutousan worldquant-miner up to 1.0.9. The impacted element is an unknown function of the file worldquant-miner-master/agent-dify-api/core/helper/ssrf_proxy.py of the component URL Handler. The manipulation of the argument make_request… | ||
| CVE-2026-0745 | Med | 0.36 | 5.5 | 0.00 | Feb 14, 2026 | The User Language Switch plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 1.6.10 due to missing URL validation on the 'download_language()' function. This makes it possible for authenticated attackers, with… | ||
| CVE-2025-10874 | Med | 0.36 | 5.5 | 0.00 | Oct 24, 2025 | The Orbit Fox: Duplicate Page, Menu Icons, SVG Support, Cookie Notice, Custom Fonts & More WordPress plugin before 3.0.2 does not limit URLs which may be used for the stock photo import feature, allowing the user to specify arbitrary URLs. This leads to a server-side request… | ||
| CVE-2025-11648 | Med | 0.36 | 5.6 | 0.00 | Oct 12, 2025 | A vulnerability has been found in Tomofun Furbo 360 and Furbo Mini. Impacted is an unknown function of the file TF_FQDN.json of the component GATT Interface URL Handler. Such manipulation leads to server-side request forgery. The attack may be performed from remote. Attacks of… | ||
| CVE-2025-53241 | Med | 0.36 | 5.5 | 0.00 | Aug 14, 2025 | Server-Side Request Forgery (SSRF) vulnerability in kodeshpa Simplified simplified allows Server Side Request Forgery.This issue affects Simplified: from n/a through <= 1.0.11. | ||
| CVE-2025-5818 | Med | 0.36 | 5.5 | 0.00 | Jul 23, 2025 | The Featured Image Plus – Quick & Bulk Edit with Unsplash plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 1.6.6 via the fip_get_image_options() function. This makes it possible for authenticated attackers, with… | ||
| CVE-2024-13940 | Med | 0.36 | 5.5 | 0.00 | May 14, 2025 | The Ninja Forms Webhooks plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 3.0.7 via the form webhook functionality. This makes it possible for authenticated attackers, with Administrator-level access and above, to make web… | ||
| CVE-2025-47635 | Med | 0.36 | 5.5 | 0.00 | May 7, 2025 | Server-Side Request Forgery (SSRF) vulnerability in WPWebinarSystem WebinarPress wp-webinarsystem allows Server Side Request Forgery.This issue affects WebinarPress: from n/a through <= 1.33.28. | ||
| CVE-2024-13879 | Med | 0.36 | 5.5 | 0.00 | Feb 17, 2025 | The Stream plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 4.0.2 due to insufficient validation on the webhook feature. This makes it possible for authenticated attackers, with administrator-level access and above, to make… | ||
| CVE-2024-40441 | Med | 0.36 | 6.6 | 0.01 | Sep 23, 2024 | An issue in Doccano Open source annotation tools for machine learning practitioners v.1.8.4 and Doccano Auto Labeling Pipeline module to annotate a document automatically v.0.1.23 allows a remote attacker to escalate privileges via the model_attribs parameter. | ||
| CVE-2024-31229 | Med | 0.36 | 5.5 | 0.00 | Apr 18, 2024 | Server-Side Request Forgery (SSRF) vulnerability in Really Simple Plugins Really Simple SSL.This issue affects Really Simple SSL: from n/a through 7.2.3. | ||
| CVE-2023-50374 | Med | 0.36 | 5.5 | 0.00 | Mar 28, 2024 | Server-Side Request Forgery (SSRF) vulnerability in NiteoThemes CMP – Coming Soon & Maintenance.This issue affects CMP – Coming Soon & Maintenance: from n/a through 4.1.10. | ||
| CVE-2022-40312 | Med | 0.36 | 5.5 | 0.00 | Dec 18, 2023 | Server-Side Request Forgery (SSRF) vulnerability in GiveWP GiveWP – Donation Plugin and Fundraising Platform.This issue affects GiveWP – Donation Plugin and Fundraising Platform: from n/a through 2.25.1. | ||
| CVE-2023-38515 | Med | 0.36 | 5.5 | 0.00 | Nov 13, 2023 | Server-Side Request Forgery (SSRF) vulnerability in Andy Moyle Church Admin.This issue affects Church Admin: from n/a through 3.7.56. |
- risk 0.37cvss 6.8epss 0.00
Axios is a promise based HTTP client for the browser and Node.js. Prior to 1.15.1 and 0.31.1, he fix for no_proxy hostname normalization bypass is incomplete. When no_proxy=localhost is set, requests to 127.0.0.1 and [::1] still route through the proxy instead of bypassing it.…
- risk 0.37cvss 6.8epss 0.00
Roadiz is a polymorphic content management system based on a node system that can handle many types of services. A vulnerability in roadiz/documents prior to versions 2.7.9, 2.6.28, 2.5.44, and 2.3.42 allows an authenticated attacker to read any file on the server's local file…
- risk 0.37cvss 6.8epss 0.00
The Real Cookie Banner: GDPR & ePrivacy Cookie Consent plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 5.2.4. This is due to insufficient validation on the user-supplied URL in the '/scanner/scan-without-login' REST API…
- risk 0.36cvss 5.5epss 0.00
Server-Side Request Forgery (SSRF) vulnerability in SeedProd Coming Soon Page, Under Construction & Maintenance Mode by SeedProd coming-soon allows Server Side Request Forgery.This issue affects Coming Soon Page, Under Construction & Maintenance Mode by SeedProd: from n/a…
- risk 0.36cvss 5.6epss 0.00
A vulnerability was detected in kalcaddle kodbox up to 1.64. This affects an unknown function of the component shareMake/shareCheck. Performing a manipulation of the argument siteFrom/siteTo results in server-side request forgery. The attack is possible to be carried out…
- risk 0.36cvss 5.5epss 0.00
Server-Side Request Forgery (SSRF) vulnerability in KaizenCoders URL Shortify url-shortify allows Server Side Request Forgery.This issue affects URL Shortify: from n/a through <= 1.12.3.
- risk 0.36cvss 5.6epss 0.00
A vulnerability has been found in zhutoutoutousan worldquant-miner up to 1.0.9. The impacted element is an unknown function of the file worldquant-miner-master/agent-dify-api/core/helper/ssrf_proxy.py of the component URL Handler. The manipulation of the argument make_request…
- risk 0.36cvss 5.5epss 0.00
The User Language Switch plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 1.6.10 due to missing URL validation on the 'download_language()' function. This makes it possible for authenticated attackers, with…
- risk 0.36cvss 5.5epss 0.00
The Orbit Fox: Duplicate Page, Menu Icons, SVG Support, Cookie Notice, Custom Fonts & More WordPress plugin before 3.0.2 does not limit URLs which may be used for the stock photo import feature, allowing the user to specify arbitrary URLs. This leads to a server-side request…
- risk 0.36cvss 5.6epss 0.00
A vulnerability has been found in Tomofun Furbo 360 and Furbo Mini. Impacted is an unknown function of the file TF_FQDN.json of the component GATT Interface URL Handler. Such manipulation leads to server-side request forgery. The attack may be performed from remote. Attacks of…
- risk 0.36cvss 5.5epss 0.00
Server-Side Request Forgery (SSRF) vulnerability in kodeshpa Simplified simplified allows Server Side Request Forgery.This issue affects Simplified: from n/a through <= 1.0.11.
- risk 0.36cvss 5.5epss 0.00
The Featured Image Plus – Quick & Bulk Edit with Unsplash plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 1.6.6 via the fip_get_image_options() function. This makes it possible for authenticated attackers, with…
- risk 0.36cvss 5.5epss 0.00
The Ninja Forms Webhooks plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 3.0.7 via the form webhook functionality. This makes it possible for authenticated attackers, with Administrator-level access and above, to make web…
- risk 0.36cvss 5.5epss 0.00
Server-Side Request Forgery (SSRF) vulnerability in WPWebinarSystem WebinarPress wp-webinarsystem allows Server Side Request Forgery.This issue affects WebinarPress: from n/a through <= 1.33.28.
- risk 0.36cvss 5.5epss 0.00
The Stream plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 4.0.2 due to insufficient validation on the webhook feature. This makes it possible for authenticated attackers, with administrator-level access and above, to make…
- risk 0.36cvss 6.6epss 0.01
An issue in Doccano Open source annotation tools for machine learning practitioners v.1.8.4 and Doccano Auto Labeling Pipeline module to annotate a document automatically v.0.1.23 allows a remote attacker to escalate privileges via the model_attribs parameter.
- risk 0.36cvss 5.5epss 0.00
Server-Side Request Forgery (SSRF) vulnerability in Really Simple Plugins Really Simple SSL.This issue affects Really Simple SSL: from n/a through 7.2.3.
- risk 0.36cvss 5.5epss 0.00
Server-Side Request Forgery (SSRF) vulnerability in NiteoThemes CMP – Coming Soon & Maintenance.This issue affects CMP – Coming Soon & Maintenance: from n/a through 4.1.10.
- risk 0.36cvss 5.5epss 0.00
Server-Side Request Forgery (SSRF) vulnerability in GiveWP GiveWP – Donation Plugin and Fundraising Platform.This issue affects GiveWP – Donation Plugin and Fundraising Platform: from n/a through 2.25.1.
- risk 0.36cvss 5.5epss 0.00
Server-Side Request Forgery (SSRF) vulnerability in Andy Moyle Church Admin.This issue affects Church Admin: from n/a through 3.7.56.