VYPR

CWE-918

Server-Side Request Forgery (SSRF)

BaseIncomplete

Description

The web server receives a URL or similar request from an upstream component and retrieves the contents of this URL, but it does not sufficiently ensure that the request is being sent to the expected destination.

Hierarchy (View 1000)

Parents

Children

none

Related attack patterns (CAPEC)

CAPEC-664

CVEs mapped to this weakness (1,583)

page 57 of 80
  • CVE-2017-16678MedDec 12, 2017
    risk 0.31cvss 4.7epss 0.01

    Server Side Request Forgery (SSRF) vulnerability in SAP NetWeaver Knowledge Management Configuration Service, EPBC and EPBC2 from 7.00 to 7.02; KMC-BC 7.30, 7.31, 7.40 and 7.50, that allows an attacker to manipulate the vulnerable application to send crafted requests on behalf…

  • CVE-2017-7200MedMar 21, 2017
    risk 0.31cvss 5.8epss 0.02

    An SSRF issue was discovered in OpenStack Glance before Newton. The 'copy_from' feature in the Image Service API v1 allowed an attacker to perform masked network port scans. With v1, it is possible to create images with a URL such as 'http://localhost:22'. This could then allow…

  • CVE-2026-44520MedMay 14, 2026
    risk 0.30cvss 5.7epss 0.00

    Docling-Graph turns documents into validated Pydantic objects, then builds a directed knowledge graph with explicit semantic relationships. Prior to 1.5.1, the URLInputHandler class in docling_graph/core/input/handlers.py makes HTTP requests to user-supplied URLs without…

  • CVE-2025-48739MedMay 23, 2025
    risk 0.30cvss epss 0.00

    A Server-Side Request Forgery (SSRF) vulnerability in StrangeBee TheHive 5.2.0 before 5.2.16, 5.3.0 before 5.3.11, 5.4.0 before 5.4.10, and 5.5.0 before 5.5.1 allows remote authenticated attackers with admin permissions (allowing them to access specific API endpoints) to…

  • CVE-2025-60175MedJun 15, 2026
    risk 0.29cvss 4.4epss 0.00

    Administrator Server Side Request Forgery (SSRF) in PopAd <= 1.0.4 versions.

  • CVE-2026-6812MedMay 2, 2026
    risk 0.29cvss 4.4epss 0.00

    The Ona theme for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 1.26 via the ona_activate_child_theme. This makes it possible for authenticated attackers, with administrator-level access and above, to make web requests to arbitrary…

  • CVE-2026-41177MedApr 22, 2026
    risk 0.29cvss 5.5epss 0.00

    Squidex is an open source headless content management system and content management hub. Prior to version 7.23.0, the Squidex Restore API is vulnerable to Blind Server-Side Request Forgery (SSRF). The application fails to validate the URI scheme of the user-supplied `Url`…

  • CVE-2026-41130MedApr 22, 2026
    risk 0.29cvss epss 0.00

    Craft CMS is a content management system (CMS). In versions on the 4.x branch through 4.17.8 and the 5.x branch through 5.9.14, the `resource-js` endpoint in Craft CMS allows unauthenticated requests to proxy remote JavaScript resources. When `trustedHosts` is not explicitly…

  • CVE-2026-41129MedApr 22, 2026
    risk 0.29cvss epss 0.00

    Craft CMS is a content management system (CMS). Versions on the 4.x branch through 4.17.8 and the 5.x branch through 5.9.14 are vulnerable to Server-Side Request Forgery. The exploitation requires a few permissions to be enabled in the used GraphQL schema: "Edit assets in the…

  • CVE-2026-6011MedApr 10, 2026
    risk 0.29cvss 5.6epss 0.00

    A weakness has been identified in OpenClaw up to 2026.1.26. Affected by this issue is some unknown functionality of the file src/agents/tools/web-fetch.ts of the component assertPublicHostname Handler. Executing a manipulation can lead to server-side request forgery. The attack…

  • CVE-2026-33237MedMar 21, 2026
    risk 0.29cvss 5.5epss 0.00

    WWBN AVideo is an open source video platform. Prior to version 26.0, the Scheduler plugin's `run()` function in `plugin/Scheduler/Scheduler.php` calls `url_get_contents()` with an admin-configurable `callbackURL` that is validated only by `isValidURL()` (URL format check).…

  • CVE-2026-25428MedFeb 19, 2026
    risk 0.29cvss 4.4epss 0.00

    Server-Side Request Forgery (SSRF) vulnerability in totalsoft TS Poll poll-wp allows Server Side Request Forgery.This issue affects TS Poll: from n/a through <= 2.5.5.

  • CVE-2026-24360MedJan 22, 2026
    risk 0.29cvss 4.4epss 0.00

    Server-Side Request Forgery (SSRF) vulnerability in Craig Hewitt Seriously Simple Podcasting seriously-simple-podcasting allows Server Side Request Forgery.This issue affects Seriously Simple Podcasting: from n/a through <= 3.14.1.

  • CVE-2025-11970MedDec 13, 2025
    risk 0.29cvss 4.4epss 0.00

    The Emplibot – AI Content Writer with Keyword Research, Infographics, and Linking | SEO Optimized | Fully Automated plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 1.0.9 via the emplibot_call_webhook_with_error() and…

  • CVE-2025-49917MedOct 22, 2025
    risk 0.29cvss 4.4epss 0.00

    Server-Side Request Forgery (SSRF) vulnerability in Icegram Icegram Express Pro email-subscribers-premium allows Server Side Request Forgery.This issue affects Icegram Express Pro: from n/a through <= 5.9.5.

  • CVE-2025-10056MedOct 15, 2025
    risk 0.29cvss 4.4epss 0.00

    The Task Scheduler plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 1.6.3 via the “Check Website” task. This makes it possible for authenticated attackers, with Administrator-level access and above, to make web requests…

  • CVE-2025-57984MedSep 22, 2025
    risk 0.29cvss 4.4epss 0.00

    Server-Side Request Forgery (SSRF) vulnerability in Pratik Ghela MakeStories (for Google Web Stories) makestories-helper allows Server Side Request Forgery.This issue affects MakeStories (for Google Web Stories): from n/a through <= 3.0.4.

  • CVE-2025-57943MedSep 22, 2025
    risk 0.29cvss 4.4epss 0.00

    Server-Side Request Forgery (SSRF) vulnerability in Skimlinks Skimlinks Affiliate Marketing Tool skimlinks allows Server Side Request Forgery.This issue affects Skimlinks Affiliate Marketing Tool: from n/a through <= 1.3.1.

  • CVE-2025-53461MedSep 22, 2025
    risk 0.29cvss 4.4epss 0.00

    Server-Side Request Forgery (SSRF) vulnerability in Binsaifullah Beaf image-compare-block allows Server Side Request Forgery.This issue affects Beaf: from n/a through <= 1.6.2.

  • CVE-2025-53457MedSep 22, 2025
    risk 0.29cvss 4.4epss 0.00

    Server-Side Request Forgery (SSRF) vulnerability in activewebsight SEO Backlink Monitor seo-backlink-monitor allows Server Side Request Forgery.This issue affects SEO Backlink Monitor: from n/a through <= 1.8.0.