VYPR

CWE-918

Server-Side Request Forgery (SSRF)

BaseIncomplete

Description

The web server receives a URL or similar request from an upstream component and retrieves the contents of this URL, but it does not sufficiently ensure that the request is being sent to the expected destination.

Hierarchy (View 1000)

Parents

Children

none

Related attack patterns (CAPEC)

CAPEC-664

CVEs mapped to this weakness (1,583)

page 63 of 80
  • CVE-2026-44583medJun 22, 2026
    risk 0.26cvss epss

    ### Summary The PayPal webhook endpoint `/extensions/paypal/webhook` processes the `PAYPAL-CERT-URL` HTTP header without validation, allowing attackers to control server-side HTTP request destinations. ### Technical details: The `/extensions/paypal/webhook` endpoint processes…

  • CVE-2026-44202medJun 22, 2026
    risk 0.26cvss epss

    OpenAM (Open Identity Platform) is an open-source Identity and Access Management (IAM) platform derived from ForgeRock OpenAM, providing SSO, OAuth2, SAML, and OpenID Connect capabilities. It is widely deployed in enterprise environments as a central authentication gateway. The…

  • CVE-2026-49138MedJun 1, 2026
    risk 0.26cvss 5.0epss 0.00

    Nanobot prior to version 0.2.1 contains a server-side request forgery vulnerability in the web_fetch tool that allows remote attackers to reach internal or private network hosts by supplying a URL that redirects to a loopback or private address via a 3xx Location header.…

  • CVE-2026-46526MedMay 28, 2026
    risk 0.26cvss 5.0epss 0.00

    Local Deep Research is an AI-powered research assistant for deep, iterative research. Prior to 1.6.10, the URL checking logic in local-deep-research has a logical flaw that could be bypassed by attackers, leading to SSRF attacks. The current project uses validate_url to validate…

  • CVE-2026-43979MedMay 28, 2026
    risk 0.26cvss 5.0epss 0.00

    Local Deep Research is an AI-powered research assistant for deep, iterative research. Prior to 1.6.0, PDFService._markdown_to_html() constructs an HTML document by interpolating user-controlled values — specifically title (sourced from research.title or research.query) and…

  • CVE-2026-48128MedMay 27, 2026
    risk 0.26cvss epss 0.00

    Budibase is an open-source low-code platform. Prior to 3.39.0, the executeQuery automation step in Budibase accepts a queryId from automation step inputs and passes it directly to the query execution controller without additional validation. When combined with a REST datasource…

  • CVE-2026-42336MedMay 26, 2026
    risk 0.26cvss epss 0.00

    MaxKB is an open-source AI assistant for enterprise. MaxKB 2.8.0 and prior are vulnerable to a server-side request forgery (SSRF) bypass in the OSS file service URL fetch functionality due to inconsistent DNS resolution between validation and actual request execution, allowing…

  • CVE-2026-41195MedMay 12, 2026
    risk 0.26cvss 5.0epss 0.00

    mosparo is the modern solution to protect your online forms from spam. Prior to 1.4.13, the automatic rule package source URL feature allows a project member with the editor role to store an attacker-controlled URL that the server later fetches. Because the server follows…

  • CVE-2026-45000MedMay 11, 2026
    risk 0.26cvss 5.0epss 0.00

    OpenClaw before 2026.4.20 contains a server-side request forgery vulnerability in browser CDP profile creation that skips strict-mode SSRF policy checks. Attackers can create stored profiles pointing to private-network or metadata endpoints that bypass security policies and are…

  • CVE-2026-42213MedMay 8, 2026
    risk 0.26cvss epss 0.00

    SolidCAM-GPPL-IDE is an unofficial, independently developed extension, Postprocessor IDE for SolidCAM. From version 1.0.0 to before version 1.0.2, the inc "filename" directive in GPPL postprocessor files is resolved by GpplDocumentLinkHandler into a clickable link (VS Code…

  • CVE-2026-41413MedMay 7, 2026
    risk 0.26cvss 5.0epss 0.00

    Istio is an open platform to connect, manage, and secure microservices. Prior to versions 1.28.6 and 1.29.2, when a RequestAuthentication resource is created with a jwksUri pointing to an internal service, istiod makes an unauthenticated HTTP GET request to that URL without…

  • CVE-2026-35527MedMay 5, 2026
    risk 0.26cvss 5.0epss 0.00

    Incus is an open source container and virtual machine manager. In versions prior to 7.0.0, the image import flow issues an outbound HEAD request to a user-supplied URL before validating the request against project restrictions such as restricted.images.servers. The…

  • CVE-2026-34244MedApr 15, 2026
    risk 0.26cvss 5.0epss 0.00

    Weblate is a web based localization tool. In versions prior to 5.17, a user with the project.edit permission (granted by the per-project "Administration" role) can configure machine translation service URLs pointing to arbitrary internal network addresses. During configuration…

  • CVE-2026-33440MedApr 15, 2026
    risk 0.26cvss 5.0epss 0.00

    Weblate is a web based localization tool. In versions prior to 5.17, the ALLOWED_ASSET_DOMAINS setting applied only to the first issued requests and didn't restrict possible redirects. This issue has been fixed in version 5.17.

  • CVE-2026-39418MedApr 14, 2026
    risk 0.26cvss 5.0epss 0.00

    MaxKB is an open-source AI assistant for enterprise. In versions 2.7.1 and below, sandbox network protection can be bypassed by using socket.sendto() with the MSG_FASTOPEN flag. This allows authenticated user with tool-editing permissions to reach internal services that are…

  • CVE-2026-4979MedApr 11, 2026
    risk 0.26cvss 5.0epss 0.00

    The UsersWP – Front-end login form, User Registration, User Profile & Members Directory plugin for WP plugin for WordPress is vulnerable to blind Server-Side Request Forgery in all versions up to, and including, 1.2.58. This is due to insufficient URL origin validation in the…

  • CVE-2026-35516MedApr 7, 2026
    risk 0.26cvss 5.0epss 0.00

    LinkAce is a self-hosted archive to collect website links. Prior to 2.5.4, LinkRepository::update and CheckLinksCommand::checkLink do not check for private IPs. An authenticated user can read responses from internal services (AWS IMDSv1, cloud metadata, internal APIs) by…

  • CVE-2026-34526MedApr 2, 2026
    risk 0.26cvss 5.0epss 0.00

    SillyTavern is a locally installed user interface that allows users to interact with text generation large language models, image generation engines, and text-to-speech voice models. Prior to version 1.17.0, in src/endpoints/search.js, the hostname is checked against…

  • CVE-2026-33185MedMar 31, 2026
    risk 0.26cvss 5.0epss 0.00

    Discourse is an open-source discussion platform. From versions 2026.1.0-latest to before 2026.1.3, 2026.2.0-latest to before 2026.2.2, and 2026.3.0-latest to before 2026.3.0, the group email settings test endpoint could be used to make the server initiate outbound connections to…

  • CVE-2026-33537MedMar 26, 2026
    risk 0.26cvss 5.0epss 0.00

    Lychee is a free, open-source photo-management tool. The patch introduced for GHSA-cpgw-wgf3-xc6v (SSRF via `Photo::fromUrl`) contains an incomplete IP validation check that fails to block loopback addresses and link-local addresses. Prior to version 7.5.1, an authenticated user…