CWE-918
Server-Side Request Forgery (SSRF)
Description
The web server receives a URL or similar request from an upstream component and retrieves the contents of this URL, but it does not sufficiently ensure that the request is being sent to the expected destination.
Hierarchy (View 1000)
Parents
Children
none
Related attack patterns (CAPEC)
CAPEC-664
CVEs mapped to this weakness (1,583)
page 67 of 80| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2025-8013 | Low | 0.18 | 3.8 | 0.00 | Aug 15, 2025 | The Quttera Web Malware Scanner plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 3.5.1.41 via the 'RunExternalScan' function. This makes it possible for authenticated attackers, with Administrator-level access and above, to… | ||
| CVE-2024-47190 | Low | 0.18 | 2.7 | 0.00 | Nov 8, 2024 | Northern.tech Hosted Mender before 2024.07.11 allows SSRF. | ||
| CVE-2026-44589 | Low | 0.17 | 3.7 | 0.00 | May 14, 2026 | Nuxt OG Image generates OG Images with Vue templates in Nuxt. The isBlockedUrl() denylist introduced in nuxt-og-image@6.2.5 to remediate GHSA-pqhr-mp3f-hrpp (Dmitry Prokhorov / Positive Technologies, March 2026) is incomplete. It has an incomplete IPv6 prefix list and is missing… | ||
| CVE-2025-51591 | Low | 0.17 | 3.7 | 0.01 | Jul 11, 2025 | A Server-Side Request Forgery (SSRF) in JGM Pandoc v3.6.4 allows attackers to gain access to and compromise the whole infrastructure via injecting a crafted iframe. Note: Some users have stated that Pandoc by default can retrieve and parse untrusted HTML content which can enable… | ||
| CVE-2024-11168 | Low | 0.17 | 3.7 | 0.01 | Nov 12, 2024 | The urllib.parse.urlsplit() and urlparse() functions improperly validated bracketed hosts (`[]`), allowing hosts that weren't IPv6 or IPvFuture. This behavior was not conformant to RFC 3986 and potentially enabled SSRF if a URL is processed by more than one URL parser. | ||
| CVE-2024-40632 | Low | 0.17 | 3.7 | 0.00 | Jul 15, 2024 | Linkerd is an open source, ultralight, security-first service mesh for Kubernetes. In affected versions when the application being run by linkerd is susceptible to SSRF, an attacker could potentially trigger a denial-of-service (DoS) attack by making requests to… | ||
| CVE-2023-48711 | — | Low | 0.17 | 3.7 | 0.00 | Nov 24, 2023 | google-translate-api-browser is an npm package which interfaces with the google translate web api. A Server-Side Request Forgery (SSRF) Vulnerability is present in applications utilizing the `google-translate-api-browser` package and exposing the `translateOptions` to the end… | |
| CVE-2026-6333 | Low | 0.16 | 3.5 | 0.00 | May 18, 2026 | Mattermost versions 11.5.x <= 11.5.1, 10.11.x <= 10.11.13 fail to validate the Host header when constructing response URLs for custom slash commands which allows an authenticated attacker to redirect slash command responses to an attacker-controlled server via a spoofed Host… | ||
| CVE-2026-42188 | — | Low | 0.16 | 2.4 | 0.00 | May 11, 2026 | Geyser is a bridge between Minecraft: Bedrock Edition and Minecraft: Java Edition. Prior to 2.9.3, a server-side request forgery (SSRF) vulnerability exists in Geyser’s handling of Bedrock player head texture data. By supplying a crafted Base64-encoded skin texture URL via the… | |
| CVE-2026-33659 | Low | 0.16 | 3.5 | 0.00 | Apr 13, 2026 | EspoCRM is an open source customer relationship management application. In versions 9.3.3 and below, the POST /api/v1/Attachment/fromImageUrl endpoint is vulnerable to Server-Side Request Forgery (SSRF) via a DNS rebinding (TOCTOU) condition. Host validation uses… | ||
| CVE-2026-24048 | Low | 0.16 | 3.5 | 0.00 | Jan 21, 2026 | Backstage is an open framework for building developer portals, and @backstage/backend-defaults provides the default implementations and setup for a standard Backstage backend app. Prior to versions 0.12.2, 0.13.2, 0.14.1, and 0.15.0, the `FetchUrlReader` component, used by the… | ||
| CVE-2024-42182 | Low | 0.16 | 2.5 | 0.00 | Jan 23, 2025 | BigFix Patch Download Plug-ins are affected by Server-Side Request Forgery (SSRF) vulnerability. It may allow the application to download files from an internally hosted server on localhost. | ||
| CVE-2023-32683 | Low | 0.16 | 3.5 | 0.01 | Jun 6, 2023 | Synapse is a Matrix protocol homeserver written in Python with the Twisted framework. A discovered oEmbed or image URL can bypass the `url_preview_url_blacklist` setting potentially allowing server side request forgery or bypassing network policies. Impact is limited to IP… | ||
| CVE-2026-0682 | Low | 0.14 | 2.2 | 0.00 | Jan 17, 2026 | The Church Admin plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 5.0.28 due to insufficient validation of user-supplied URLs in the 'audio_url' parameter. This makes it possible for authenticated attackers, with… | ||
| CVE-2025-62505 | Low | 0.13 | 3.0 | 0.00 | Oct 17, 2025 | LobeChat is an open source chat application platform. The web-crawler package in LobeChat version 1.136.1 allows server-side request forgery (SSRF) in the tools.search.crawlPages tRPC endpoint. A client can supply an arbitrary urls array together with impls containing the value… | ||
| CVE-2025-53018 | Low | 0.13 | 3.0 | 0.00 | Jun 27, 2025 | Lychee is a free, open-source photo-management tool. Prior to version 6.6.13, a critical Server-Side Request Forgery (SSRF) vulnerability exists in the `/api/v2/Photo::fromUrl` endpoint. This flaw lets an attacker instruct the application’s backend to make HTTP requests to any… | ||
| CVE-2021-21311 | — | Hig | 0.12 | 7.2 | 0.90 | KEV | Feb 11, 2021 | Adminer is an open-source database management in a single PHP file. In adminer from version 4.0.0 and before 4.7.9 there is a server-side request forgery vulnerability. Users of Adminer versions bundling all drivers (e.g. `adminer.php`) are affected. This is fixed in version… |
| CVE-2026-22597 | Low | 0.11 | 2.7 | 0.00 | Jan 10, 2026 | Ghost is a Node.js content management system. In versions 5.38.0 through 5.130.5 and 6.0.0 through 6.10.3, a vulnerability in Ghost’s media inliner mechanism allows staff users in possession of a valid authentication token for the Ghost Admin API to exfiltrate data from… | ||
| CVE-2025-9821 | Low | 0.11 | 2.7 | 0.00 | Sep 3, 2025 | SummaryUsers with webhook permissions can conduct SSRF via webhooks. If they have permission to view the webhook logs, the (partial) request response is also disclosed DetailsWhen sending webhooks, the destination is not validated, causing SSRF. ImpactBypass of firewalls to… | ||
| CVE-2025-47293 | Low | 0.11 | — | 0.00 | Jun 19, 2025 | PowSyBl (Power System Blocks) is a framework to build power system oriented software. Prior to version 6.7.2, in certain places, powsybl-core XML parsing is vulnerable to an XML external entity (XXE) attack and to a server-side request forgery (SSRF) attack. This allows an… |
- risk 0.18cvss 3.8epss 0.00
The Quttera Web Malware Scanner plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 3.5.1.41 via the 'RunExternalScan' function. This makes it possible for authenticated attackers, with Administrator-level access and above, to…
- risk 0.18cvss 2.7epss 0.00
Northern.tech Hosted Mender before 2024.07.11 allows SSRF.
- risk 0.17cvss 3.7epss 0.00
Nuxt OG Image generates OG Images with Vue templates in Nuxt. The isBlockedUrl() denylist introduced in nuxt-og-image@6.2.5 to remediate GHSA-pqhr-mp3f-hrpp (Dmitry Prokhorov / Positive Technologies, March 2026) is incomplete. It has an incomplete IPv6 prefix list and is missing…
- risk 0.17cvss 3.7epss 0.01
A Server-Side Request Forgery (SSRF) in JGM Pandoc v3.6.4 allows attackers to gain access to and compromise the whole infrastructure via injecting a crafted iframe. Note: Some users have stated that Pandoc by default can retrieve and parse untrusted HTML content which can enable…
- risk 0.17cvss 3.7epss 0.01
The urllib.parse.urlsplit() and urlparse() functions improperly validated bracketed hosts (`[]`), allowing hosts that weren't IPv6 or IPvFuture. This behavior was not conformant to RFC 3986 and potentially enabled SSRF if a URL is processed by more than one URL parser.
- risk 0.17cvss 3.7epss 0.00
Linkerd is an open source, ultralight, security-first service mesh for Kubernetes. In affected versions when the application being run by linkerd is susceptible to SSRF, an attacker could potentially trigger a denial-of-service (DoS) attack by making requests to…
- risk 0.17cvss 3.7epss 0.00
google-translate-api-browser is an npm package which interfaces with the google translate web api. A Server-Side Request Forgery (SSRF) Vulnerability is present in applications utilizing the `google-translate-api-browser` package and exposing the `translateOptions` to the end…
- risk 0.16cvss 3.5epss 0.00
Mattermost versions 11.5.x <= 11.5.1, 10.11.x <= 10.11.13 fail to validate the Host header when constructing response URLs for custom slash commands which allows an authenticated attacker to redirect slash command responses to an attacker-controlled server via a spoofed Host…
- risk 0.16cvss 2.4epss 0.00
Geyser is a bridge between Minecraft: Bedrock Edition and Minecraft: Java Edition. Prior to 2.9.3, a server-side request forgery (SSRF) vulnerability exists in Geyser’s handling of Bedrock player head texture data. By supplying a crafted Base64-encoded skin texture URL via the…
- risk 0.16cvss 3.5epss 0.00
EspoCRM is an open source customer relationship management application. In versions 9.3.3 and below, the POST /api/v1/Attachment/fromImageUrl endpoint is vulnerable to Server-Side Request Forgery (SSRF) via a DNS rebinding (TOCTOU) condition. Host validation uses…
- risk 0.16cvss 3.5epss 0.00
Backstage is an open framework for building developer portals, and @backstage/backend-defaults provides the default implementations and setup for a standard Backstage backend app. Prior to versions 0.12.2, 0.13.2, 0.14.1, and 0.15.0, the `FetchUrlReader` component, used by the…
- risk 0.16cvss 2.5epss 0.00
BigFix Patch Download Plug-ins are affected by Server-Side Request Forgery (SSRF) vulnerability. It may allow the application to download files from an internally hosted server on localhost.
- risk 0.16cvss 3.5epss 0.01
Synapse is a Matrix protocol homeserver written in Python with the Twisted framework. A discovered oEmbed or image URL can bypass the `url_preview_url_blacklist` setting potentially allowing server side request forgery or bypassing network policies. Impact is limited to IP…
- risk 0.14cvss 2.2epss 0.00
The Church Admin plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 5.0.28 due to insufficient validation of user-supplied URLs in the 'audio_url' parameter. This makes it possible for authenticated attackers, with…
- risk 0.13cvss 3.0epss 0.00
LobeChat is an open source chat application platform. The web-crawler package in LobeChat version 1.136.1 allows server-side request forgery (SSRF) in the tools.search.crawlPages tRPC endpoint. A client can supply an arbitrary urls array together with impls containing the value…
- risk 0.13cvss 3.0epss 0.00
Lychee is a free, open-source photo-management tool. Prior to version 6.6.13, a critical Server-Side Request Forgery (SSRF) vulnerability exists in the `/api/v2/Photo::fromUrl` endpoint. This flaw lets an attacker instruct the application’s backend to make HTTP requests to any…
- risk 0.12cvss 7.2epss 0.90
Adminer is an open-source database management in a single PHP file. In adminer from version 4.0.0 and before 4.7.9 there is a server-side request forgery vulnerability. Users of Adminer versions bundling all drivers (e.g. `adminer.php`) are affected. This is fixed in version…
- risk 0.11cvss 2.7epss 0.00
Ghost is a Node.js content management system. In versions 5.38.0 through 5.130.5 and 6.0.0 through 6.10.3, a vulnerability in Ghost’s media inliner mechanism allows staff users in possession of a valid authentication token for the Ghost Admin API to exfiltrate data from…
- risk 0.11cvss 2.7epss 0.00
SummaryUsers with webhook permissions can conduct SSRF via webhooks. If they have permission to view the webhook logs, the (partial) request response is also disclosed DetailsWhen sending webhooks, the destination is not validated, causing SSRF. ImpactBypass of firewalls to…
- risk 0.11cvss —epss 0.00
PowSyBl (Power System Blocks) is a framework to build power system oriented software. Prior to version 6.7.2, in certain places, powsybl-core XML parsing is vulnerable to an XML external entity (XXE) attack and to a server-side request forgery (SSRF) attack. This allows an…