CWE-918
Server-Side Request Forgery (SSRF)
Description
The web server receives a URL or similar request from an upstream component and retrieves the contents of this URL, but it does not sufficiently ensure that the request is being sent to the expected destination.
Hierarchy (View 1000)
Parents
Children
none
Related attack patterns (CAPEC)
CAPEC-664
CVEs mapped to this weakness (1,583)
page 68 of 80| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2024-12801 | Low | 0.09 | — | 0.00 | Dec 19, 2024 | Server-Side Request Forgery (SSRF) in SaxEventRecorder by QOS.CH logback version 0.1 to 1.3.14 and 1.4.0 to 1.5.12 on the Java platform, allows an attacker to forge requests by compromising logback configuration files in XML. The attacks involves the modification of… | ||
| CVE-2020-10770 | Med | 0.09 | 5.3 | 0.70 | Dec 15, 2020 | A flaw was found in Keycloak before 13.0.0, where it is possible to force the server to call out an unverified URL using the OIDC parameter request_uri. This flaw allows an attacker to use this parameter to execute a Server-side request forgery (SSRF) attack. | ||
| CVE-2026-46497 | Low | 0.08 | — | 0.00 | Jun 10, 2026 | Crawlee is a web scraping and browser automation library. From version 1.0.0 to before version 1.7.0, Crawlee is vulnerable to SSRF via sitemap-derived URLs. This issue has been patched in version 1.7.0. | ||
| CVE-2026-44515 | Low | 0.08 | — | 0.00 | May 14, 2026 | Nextcloud News is an RSS/Atom feed reader. Prior to 28.3.0-beta.1, Nextcloud News allows authenticated users to add feeds by providing a feed URL (via the web interface or the API). In affected versions, an authenticated attacker could provide a URL pointing to internal/private… | ||
| CVE-2026-44286 | Low | 0.08 | — | 0.00 | May 8, 2026 | FastGPT is an AI Agent building platform. Prior to version 4.14.17, an unauthenticated Server-Side Request Forgery (SSRF) vulnerability allows attackers (or authenticated users with App editing privileges) to send arbitrary HTTP requests to internal/private network addresses.… | ||
| CVE-2026-41321 | — | Low | 0.07 | 2.2 | 0.00 | Apr 24, 2026 | @astrojs/cloudflare is an SSR adapter for use with Cloudflare Workers targets. Prior to 13.1.10, the fetch() call for remote images in packages/integrations/cloudflare/src/utils/image-binding-transform.ts uses the default redirect: 'follow' behavior. This allows the Cloudflare… | |
| CVE-2023-49785 | 0.07 | — | 0.83 | Mar 11, 2024 | NextChat, also known as ChatGPT-Next-Web, is a cross-platform chat user interface for use with ChatGPT. Versions 2.11.2 and prior are vulnerable to server-side request forgery and cross-site scripting. This vulnerability enables read access to internal HTTP endpoints but also… | |||
| CVE-2020-13379 | — | Hig | 0.04 | 8.2 | 1.00 | Jun 3, 2020 | The avatar feature in Grafana 3.0.1 through 7.0.1 has an SSRF Incorrect Access Control issue. This vulnerability allows any unauthenticated user/client to make Grafana send HTTP requests to any URL and return its result to the user/client. This can be used to gain information… | |
| CVE-2023-48022 | — | Cri | 0.03 | 9.8 | 0.82 | Nov 28, 2023 | Anyscale Ray 2.6.3 and 2.8.0 allows a remote attacker to execute arbitrary code via the job submission API. NOTE: the vendor's position is that this report is irrelevant because Ray, as stated in its documentation, is not intended for use outside of a strictly controlled network… | |
| CVE-2018-25031 | — | Med | 0.03 | 4.3 | 0.42 | Mar 11, 2022 | Swagger UI 4.1.2 and earlier could allow a remote attacker to conduct spoofing attacks. By persuading a victim to open a crafted URL, an attacker could exploit this vulnerability to display remote OpenAPI definitions. Note: This was originally claimed to be resolved in 4.1.3.… | |
| CVE-2021-32682 | Cri | 0.02 | 9.8 | 0.70 | Jun 14, 2021 | elFinder is an open-source file manager for web, written in JavaScript using jQuery UI. Several vulnerabilities affect elFinder 2.1.58. These vulnerabilities can allow an attacker to execute arbitrary code and commands on the server hosting the elFinder PHP connector, even with… | ||
| CVE-2024-29198 | 0.01 | — | 0.02 | Jun 10, 2025 | GeoServer is an open source software server written in Java that allows users to share and edit geospatial data. It possible to achieve Service Side Request Forgery (SSRF) via the Demo request endpoint if Proxy Base URL has not been set. Upgrading to GeoServer 2.24.4, or 2.25.2,… | |||
| CVE-2026-56348 | 0.00 | — | 0.00 | Jun 22, 2026 | n8n before 2.20.0 contains a credential exfiltration vulnerability in the POST /rest/dynamic-node-parameters/options endpoint that allows authenticated users to bypass Allowed HTTP Request Domains restrictions. Attackers with credential access can cause the n8n server to issue… | |||
| CVE-2026-56266 | 0.00 | — | 0.00 | Jun 22, 2026 | Crawl4AI before 0.8.7 contains a server-side request forgery vulnerability in the /crawl, /crawl/stream, /md, and /llm endpoints that fetch arbitrary user-supplied URLs without validation. Unauthenticated attackers can bypass the internal-address blocklist using IPv6-mapped IPv4… | |||
| CVE-2026-55187 | 0.00 | — | — | Jun 19, 2026 | ## Summary The remediation shipped in mailpit v1.29.2 for [GHSA-mpf7-p9x7-96r3](https://github.com/axllent/mailpit/security/advisories/GHSA-mpf7-p9x7-96r3) (CVE-2026-27808) is incomplete. The `tools.IsInternalIP` deny-list relies on Go's stdlib classification helpers… | |||
| CVE-2026-55414 | 0.00 | — | — | Jun 19, 2026 | ## Summary The public GraphQL resolvers `getFormDefinitionByObjectenApiUrl(url)` and the deprecated `getFormDefinitionById(id)` fetch a caller-supplied URL using the **privileged Objecten-API token**. Because the `/graphql` endpoint is `permitAll()` and these resolvers do not… | |||
| CVE-2026-55374 | — | 0.00 | — | — | Jun 19, 2026 | ## Summary In affected versions, `Request::buildRequestUrl()` inserts path variables into the request URL without URL encoding (`implode('/', $pathVariables)`). All request classes implementing `getPathVariables()` are affected, e.g. `GetContentDetailsRequest`… | ||
| CVE-2026-55591 | 0.00 | — | — | Jun 18, 2026 | ### Summary signalk-server versions up to and including 2.27.0 contain a Server-Side Request Forgery (SSRF) vulnerability in three administrative endpoints used for remote Signal K server connection management. The `makeRemoteRequest()` function accepts attacker-controlled… | |||
| CVE-2026-55671 | low | 0.00 | — | — | Jun 18, 2026 | ### Summary A Server-Side Request Forgery (SSRF) vulnerability was discovered in Zitadel affecting: * **HTTP Notification Channels:** Used as an alternative to SMTP/Twilio configurations, sending payloads to user-defined URLs via HTTP POST webhooks. * **OIDC BackChannel… | ||
| CVE-2026-12566 | 0.00 | — | 0.00 | Jun 17, 2026 | The docker_pull module uses the realm parameter from a Docker registry's WWW-Authenticate response header as the authentication endpoint without validation. An attacker in a man-in-the-middle position between bbot and a Docker registry could modify this header to redirect the… |
- risk 0.09cvss —epss 0.00
Server-Side Request Forgery (SSRF) in SaxEventRecorder by QOS.CH logback version 0.1 to 1.3.14 and 1.4.0 to 1.5.12 on the Java platform, allows an attacker to forge requests by compromising logback configuration files in XML. The attacks involves the modification of…
- risk 0.09cvss 5.3epss 0.70
A flaw was found in Keycloak before 13.0.0, where it is possible to force the server to call out an unverified URL using the OIDC parameter request_uri. This flaw allows an attacker to use this parameter to execute a Server-side request forgery (SSRF) attack.
- risk 0.08cvss —epss 0.00
Crawlee is a web scraping and browser automation library. From version 1.0.0 to before version 1.7.0, Crawlee is vulnerable to SSRF via sitemap-derived URLs. This issue has been patched in version 1.7.0.
- risk 0.08cvss —epss 0.00
Nextcloud News is an RSS/Atom feed reader. Prior to 28.3.0-beta.1, Nextcloud News allows authenticated users to add feeds by providing a feed URL (via the web interface or the API). In affected versions, an authenticated attacker could provide a URL pointing to internal/private…
- risk 0.08cvss —epss 0.00
FastGPT is an AI Agent building platform. Prior to version 4.14.17, an unauthenticated Server-Side Request Forgery (SSRF) vulnerability allows attackers (or authenticated users with App editing privileges) to send arbitrary HTTP requests to internal/private network addresses.…
- risk 0.07cvss 2.2epss 0.00
@astrojs/cloudflare is an SSR adapter for use with Cloudflare Workers targets. Prior to 13.1.10, the fetch() call for remote images in packages/integrations/cloudflare/src/utils/image-binding-transform.ts uses the default redirect: 'follow' behavior. This allows the Cloudflare…
- CVE-2023-49785Mar 11, 2024risk 0.07cvss —epss 0.83
NextChat, also known as ChatGPT-Next-Web, is a cross-platform chat user interface for use with ChatGPT. Versions 2.11.2 and prior are vulnerable to server-side request forgery and cross-site scripting. This vulnerability enables read access to internal HTTP endpoints but also…
- risk 0.04cvss 8.2epss 1.00
The avatar feature in Grafana 3.0.1 through 7.0.1 has an SSRF Incorrect Access Control issue. This vulnerability allows any unauthenticated user/client to make Grafana send HTTP requests to any URL and return its result to the user/client. This can be used to gain information…
- risk 0.03cvss 9.8epss 0.82
Anyscale Ray 2.6.3 and 2.8.0 allows a remote attacker to execute arbitrary code via the job submission API. NOTE: the vendor's position is that this report is irrelevant because Ray, as stated in its documentation, is not intended for use outside of a strictly controlled network…
- risk 0.03cvss 4.3epss 0.42
Swagger UI 4.1.2 and earlier could allow a remote attacker to conduct spoofing attacks. By persuading a victim to open a crafted URL, an attacker could exploit this vulnerability to display remote OpenAPI definitions. Note: This was originally claimed to be resolved in 4.1.3.…
- risk 0.02cvss 9.8epss 0.70
elFinder is an open-source file manager for web, written in JavaScript using jQuery UI. Several vulnerabilities affect elFinder 2.1.58. These vulnerabilities can allow an attacker to execute arbitrary code and commands on the server hosting the elFinder PHP connector, even with…
- CVE-2024-29198Jun 10, 2025risk 0.01cvss —epss 0.02
GeoServer is an open source software server written in Java that allows users to share and edit geospatial data. It possible to achieve Service Side Request Forgery (SSRF) via the Demo request endpoint if Proxy Base URL has not been set. Upgrading to GeoServer 2.24.4, or 2.25.2,…
- CVE-2026-56348Jun 22, 2026risk 0.00cvss —epss 0.00
n8n before 2.20.0 contains a credential exfiltration vulnerability in the POST /rest/dynamic-node-parameters/options endpoint that allows authenticated users to bypass Allowed HTTP Request Domains restrictions. Attackers with credential access can cause the n8n server to issue…
- CVE-2026-56266Jun 22, 2026risk 0.00cvss —epss 0.00
Crawl4AI before 0.8.7 contains a server-side request forgery vulnerability in the /crawl, /crawl/stream, /md, and /llm endpoints that fetch arbitrary user-supplied URLs without validation. Unauthenticated attackers can bypass the internal-address blocklist using IPv6-mapped IPv4…
- CVE-2026-55187Jun 19, 2026risk 0.00cvss —epss —
## Summary The remediation shipped in mailpit v1.29.2 for [GHSA-mpf7-p9x7-96r3](https://github.com/axllent/mailpit/security/advisories/GHSA-mpf7-p9x7-96r3) (CVE-2026-27808) is incomplete. The `tools.IsInternalIP` deny-list relies on Go's stdlib classification helpers…
- CVE-2026-55414Jun 19, 2026risk 0.00cvss —epss —
## Summary The public GraphQL resolvers `getFormDefinitionByObjectenApiUrl(url)` and the deprecated `getFormDefinitionById(id)` fetch a caller-supplied URL using the **privileged Objecten-API token**. Because the `/graphql` endpoint is `permitAll()` and these resolvers do not…
- CVE-2026-55374Jun 19, 2026risk 0.00cvss —epss —
## Summary In affected versions, `Request::buildRequestUrl()` inserts path variables into the request URL without URL encoding (`implode('/', $pathVariables)`). All request classes implementing `getPathVariables()` are affected, e.g. `GetContentDetailsRequest`…
- CVE-2026-55591Jun 18, 2026risk 0.00cvss —epss —
### Summary signalk-server versions up to and including 2.27.0 contain a Server-Side Request Forgery (SSRF) vulnerability in three administrative endpoints used for remote Signal K server connection management. The `makeRemoteRequest()` function accepts attacker-controlled…
- risk 0.00cvss —epss —
### Summary A Server-Side Request Forgery (SSRF) vulnerability was discovered in Zitadel affecting: * **HTTP Notification Channels:** Used as an alternative to SMTP/Twilio configurations, sending payloads to user-defined URLs via HTTP POST webhooks. * **OIDC BackChannel…
- CVE-2026-12566Jun 17, 2026risk 0.00cvss —epss 0.00
The docker_pull module uses the realm parameter from a Docker registry's WWW-Authenticate response header as the authentication endpoint without validation. An attacker in a man-in-the-middle position between bbot and a Docker registry could modify this header to redirect the…