VYPR

CWE-918

Server-Side Request Forgery (SSRF)

BaseIncomplete

Description

The web server receives a URL or similar request from an upstream component and retrieves the contents of this URL, but it does not sufficiently ensure that the request is being sent to the expected destination.

Hierarchy (View 1000)

Parents

Children

none

Related attack patterns (CAPEC)

CAPEC-664

CVEs mapped to this weakness (1,583)

page 68 of 80
  • CVE-2024-12801LowDec 19, 2024
    risk 0.09cvss epss 0.00

    Server-Side Request Forgery (SSRF) in SaxEventRecorder by QOS.CH logback version 0.1 to 1.3.14 and 1.4.0 to 1.5.12  on the Java platform, allows an attacker to forge requests by compromising logback configuration files in XML. The attacks involves the modification of…

  • CVE-2020-10770MedDec 15, 2020
    risk 0.09cvss 5.3epss 0.70

    A flaw was found in Keycloak before 13.0.0, where it is possible to force the server to call out an unverified URL using the OIDC parameter request_uri. This flaw allows an attacker to use this parameter to execute a Server-side request forgery (SSRF) attack.

  • CVE-2026-46497LowJun 10, 2026
    risk 0.08cvss epss 0.00

    Crawlee is a web scraping and browser automation library. From version 1.0.0 to before version 1.7.0, Crawlee is vulnerable to SSRF via sitemap-derived URLs. This issue has been patched in version 1.7.0.

  • CVE-2026-44515LowMay 14, 2026
    risk 0.08cvss epss 0.00

    Nextcloud News is an RSS/Atom feed reader. Prior to 28.3.0-beta.1, Nextcloud News allows authenticated users to add feeds by providing a feed URL (via the web interface or the API). In affected versions, an authenticated attacker could provide a URL pointing to internal/private…

  • CVE-2026-44286LowMay 8, 2026
    risk 0.08cvss epss 0.00

    FastGPT is an AI Agent building platform. Prior to version 4.14.17, an unauthenticated Server-Side Request Forgery (SSRF) vulnerability allows attackers (or authenticated users with App editing privileges) to send arbitrary HTTP requests to internal/private network addresses.…

  • CVE-2026-41321LowApr 24, 2026
    risk 0.07cvss 2.2epss 0.00

    @astrojs/cloudflare is an SSR adapter for use with Cloudflare Workers targets. Prior to 13.1.10, the fetch() call for remote images in packages/integrations/cloudflare/src/utils/image-binding-transform.ts uses the default redirect: 'follow' behavior. This allows the Cloudflare…

  • CVE-2023-49785Mar 11, 2024
    risk 0.07cvss epss 0.83

    NextChat, also known as ChatGPT-Next-Web, is a cross-platform chat user interface for use with ChatGPT. Versions 2.11.2 and prior are vulnerable to server-side request forgery and cross-site scripting. This vulnerability enables read access to internal HTTP endpoints but also…

  • CVE-2020-13379HigJun 3, 2020
    risk 0.04cvss 8.2epss 1.00

    The avatar feature in Grafana 3.0.1 through 7.0.1 has an SSRF Incorrect Access Control issue. This vulnerability allows any unauthenticated user/client to make Grafana send HTTP requests to any URL and return its result to the user/client. This can be used to gain information…

  • CVE-2023-48022CriNov 28, 2023
    risk 0.03cvss 9.8epss 0.82

    Anyscale Ray 2.6.3 and 2.8.0 allows a remote attacker to execute arbitrary code via the job submission API. NOTE: the vendor's position is that this report is irrelevant because Ray, as stated in its documentation, is not intended for use outside of a strictly controlled network…

  • CVE-2018-25031MedMar 11, 2022
    risk 0.03cvss 4.3epss 0.42

    Swagger UI 4.1.2 and earlier could allow a remote attacker to conduct spoofing attacks. By persuading a victim to open a crafted URL, an attacker could exploit this vulnerability to display remote OpenAPI definitions. Note: This was originally claimed to be resolved in 4.1.3.…

  • CVE-2021-32682CriJun 14, 2021
    risk 0.02cvss 9.8epss 0.70

    elFinder is an open-source file manager for web, written in JavaScript using jQuery UI. Several vulnerabilities affect elFinder 2.1.58. These vulnerabilities can allow an attacker to execute arbitrary code and commands on the server hosting the elFinder PHP connector, even with…

  • CVE-2024-29198Jun 10, 2025
    risk 0.01cvss epss 0.02

    GeoServer is an open source software server written in Java that allows users to share and edit geospatial data. It possible to achieve Service Side Request Forgery (SSRF) via the Demo request endpoint if Proxy Base URL has not been set. Upgrading to GeoServer 2.24.4, or 2.25.2,…

  • CVE-2026-56348Jun 22, 2026
    risk 0.00cvss epss 0.00

    n8n before 2.20.0 contains a credential exfiltration vulnerability in the POST /rest/dynamic-node-parameters/options endpoint that allows authenticated users to bypass Allowed HTTP Request Domains restrictions. Attackers with credential access can cause the n8n server to issue…

  • CVE-2026-56266Jun 22, 2026
    risk 0.00cvss epss 0.00

    Crawl4AI before 0.8.7 contains a server-side request forgery vulnerability in the /crawl, /crawl/stream, /md, and /llm endpoints that fetch arbitrary user-supplied URLs without validation. Unauthenticated attackers can bypass the internal-address blocklist using IPv6-mapped IPv4…

  • CVE-2026-55187Jun 19, 2026
    risk 0.00cvss epss

    ## Summary The remediation shipped in mailpit v1.29.2 for [GHSA-mpf7-p9x7-96r3](https://github.com/axllent/mailpit/security/advisories/GHSA-mpf7-p9x7-96r3) (CVE-2026-27808) is incomplete. The `tools.IsInternalIP` deny-list relies on Go's stdlib classification helpers…

  • CVE-2026-55414Jun 19, 2026
    risk 0.00cvss epss

    ## Summary The public GraphQL resolvers `getFormDefinitionByObjectenApiUrl(url)` and the deprecated `getFormDefinitionById(id)` fetch a caller-supplied URL using the **privileged Objecten-API token**. Because the `/graphql` endpoint is `permitAll()` and these resolvers do not…

  • CVE-2026-55374Jun 19, 2026
    risk 0.00cvss epss

    ## Summary In affected versions, `Request::buildRequestUrl()` inserts path variables into the request URL without URL encoding (`implode('/', $pathVariables)`). All request classes implementing `getPathVariables()` are affected, e.g. `GetContentDetailsRequest`…

  • CVE-2026-55591Jun 18, 2026
    risk 0.00cvss epss

    ### Summary signalk-server versions up to and including 2.27.0 contain a Server-Side Request Forgery (SSRF) vulnerability in three administrative endpoints used for remote Signal K server connection management. The `makeRemoteRequest()` function accepts attacker-controlled…

  • CVE-2026-55671lowJun 18, 2026
    risk 0.00cvss epss

    ### Summary A Server-Side Request Forgery (SSRF) vulnerability was discovered in Zitadel affecting: * **HTTP Notification Channels:** Used as an alternative to SMTP/Twilio configurations, sending payloads to user-defined URLs via HTTP POST webhooks. * **OIDC BackChannel…

  • CVE-2026-12566Jun 17, 2026
    risk 0.00cvss epss 0.00

    The docker_pull module uses the realm parameter from a Docker registry's WWW-Authenticate response header as the authentication endpoint without validation. An attacker in a man-in-the-middle position between bbot and a Docker registry could modify this header to redirect the…