VYPR

CWE-918

Server-Side Request Forgery (SSRF)

BaseIncomplete

Description

The web server receives a URL or similar request from an upstream component and retrieves the contents of this URL, but it does not sufficiently ensure that the request is being sent to the expected destination.

Hierarchy (View 1000)

Parents

Children

none

Related attack patterns (CAPEC)

CAPEC-664

CVEs mapped to this weakness (1,583)

page 69 of 80
  • CVE-2026-53872Jun 17, 2026
    risk 0.00cvss epss 0.01

    picklescan before 0.0.35 contains an unsafe pickle deserialization vulnerability allowing unauthenticated attackers to read arbitrary server files by chaining io.FileIO and urllib.request.urlopen. Attackers can bypass RCE-focused blocklists to exfiltrate sensitive data like…

  • CVE-2026-53931Jun 17, 2026
    risk 0.00cvss epss 0.00

    ### Summary The spreadsheet-import endpoint `axiosRequestMake` could be used as a generic HTTP proxy. Before the fix it was reachable unauthenticated, and its URL-extension allowlist was a regex tested against the full URL string, so URLs whose query string ended in `.csv` (for…

  • CVE-2026-53930Jun 17, 2026
    risk 0.00cvss epss 0.00

    ### Summary The base-migration endpoint accepted a caller-supplied URL that the migration worker dereferenced without enforcing protocol or destination, allowing scheme abuse (`file:`, `ftp:`, etc.) and probing of internal HTTP destinations. ### Details The `migrate` endpoint…

  • CVE-2026-53927Jun 17, 2026
    risk 0.00cvss epss 0.00

    ### Summary The spreadsheet-fetch endpoint (`axiosRequestMake`) accepted URLs whose path contained a permitted extension anywhere in the string, and applied a hand-rolled regex blocklist that omitted `127.0.0.0/8` and `169.254.0.0/16`, allowing the cloud-metadata endpoint to be…

  • CVE-2026-50134Jun 16, 2026
    risk 0.00cvss epss

    **Commit:** [86fbb0f7a8](https://github.com/gohugoio/hugo/commit/86fbb0f7a8) — _security: Validate redirects against security.http.urls_ **Affected versions:** v0.91.0 (when `security.http.urls` was introduced) through v0.161.1. **Fixed in:** v0.162.0. **Severity:** Only…

  • CVE-2026-49860Jun 16, 2026
    risk 0.00cvss epss 0.00

    ## Summary When a WebSocket connection was opened, Deno checked the destination hostname against `--deny-net` rules but did not re-check the IP addresses that hostname resolved to. An attacker-controlled script could use a specially crafted domain name that passes the hostname…

  • CVE-2026-49859Jun 16, 2026
    risk 0.00cvss epss 0.00

    ## Summary When `fetch()` was called, Deno checked the destination hostname against `--deny-net` rules but did not re-check the IP addresses that hostname resolved to. An attacker-controlled script could use a specially crafted domain name that passes the hostname check yet…

  • CVE-2026-54300Jun 16, 2026
    risk 0.00cvss epss 0.00

    ## Summary `@astrojs/netlify` converts Astro `image.remotePatterns` into Netlify Image CDN `images.remote_images` regular expressions with broader semantics than Astro's canonical matcher. A single wildcard hostname such as `*.example.com` is converted to an optional subdomain…

  • CVE-2025-58175Jun 12, 2026
    risk 0.00cvss epss 0.00

    ### Summary A GeoServer that uses `ENTITY_RESOLUTION_ALLOWLIST` may allow attacker to perform unauthenticated Server-Side Request Forgery (SSRF). ### Details This vulnerability requires that GeoServer is set up to use a proxy base URL and the `ENTITY_RESOLUTION_ALLOWLIST`…

  • CVE-2026-48053Jun 11, 2026
    risk 0.00cvss epss 0.00

    ## Summary Several Kolibri API endpoints accept an unvalidated `baseurl` parameter and fetch attacker-controlled URLs from the Kolibri server, reflecting the response body back to the caller. The original report identified two endpoints on the `RemoteFacilityUser*` viewsets;…

  • CVE-2026-48051lowJun 10, 2026
    risk 0.00cvss epss 0.00

    ### Summary Papra's webhook delivery system contains an SSRF protection bypass that allows any authenticated organisation member to cause the server to make HTTP requests to internal addresses — loopback, link-local, and RFC-1918 ranges. The SSRF protection validates the…

  • CVE-2026-47382Jun 5, 2026
    risk 0.00cvss epss 0.00

    ### Summary The connection-test endpoint opened a raw TCP socket to the user-supplied database host without resolving and range-checking the destination, so private and link-local addresses (including IPv4-mapped IPv6 forms and `localhost`) reached the driver. ### Details A new…

  • CVE-2026-45723lowJun 5, 2026
    risk 0.00cvss epss 0.00

    ## Summary `managementServer.CreateSchematic` (`internal/backend/grpc/schematics.go`) passes the caller-controlled `TalosVersion` field directly to `imageFactoryClient.OverlaysVersions`, which embeds it verbatim into a `fmt.Sprintf("/version/%s/overlays/official",…

  • CVE-2026-48013Jun 4, 2026
    risk 0.00cvss epss 0.00

    ## Summary The `/api/_action/media/external-link` endpoint allows authenticated admin users to make server-side HTTP HEAD requests to arbitrary internal IP addresses. While the parallel `uploadFromURL` flow validates target IPs against private/reserved ranges via…

  • CVE-2026-47390May 29, 2026
    risk 0.00cvss epss 0.00

    ### Summary PraisonAI's `spider_tools` URL validation can be bypassed using alternate loopback host encodings. The affected component is: ```text praisonaiagents/tools/spider_tools.py ```` The tool contains a URL validation function intended to block local or unsafe targets…

  • CVE-2026-46380May 28, 2026
    risk 0.00cvss epss 0.00

    A source code audit led to the discovery of three significant security vulnerabilities in the trestle/core/remote/cache.py module. **Finding 1 (Critical): SSRF (CWE-918)** The HTTPSFetcher._do_fetch() method passes a user-supplied URL directly to requests.get() without…

  • CVE-2026-46678May 21, 2026
    risk 0.00cvss epss 0.00

    ## Summary When an application using Pydantic AI opts a URL into `force_download='allow-local'` (which disables the default block on private/internal IPs), the cloud-metadata blocklist could be bypassed by encoding the metadata IP in an IPv6 transition form (IPv4-mapped IPv6,…

  • CVE-2026-46556May 21, 2026
    risk 0.00cvss epss 0.00

    ###Summary A Server-Side Request Forgery (SSRF) vulnerability in get_image_info() allows any authenticated user to force the server to send HTTP requests to arbitrary internal endpoints, including cloud metadata services (e.g., AWS 169.254.169.254). This is a blind SSRF with…

  • CVE-2026-46548May 21, 2026
    risk 0.00cvss epss 0.00

    ### Summary The `request-filtering-agent` SSRF protection was non-functional in the four notification webhook plugins (Slack, Discord, Mattermost, Teams) because `httpAgent` / `httpsAgent` were passed as part of the request **body** rather than the axios **config**. An…

  • CVE-2026-45796May 19, 2026
    risk 0.00cvss epss 0.00

    ## Summary Unauthenticated semi-blind Server-Side Request Forgery (SSRF) via the Azure instance identity endpoint (`POST /api/v2/workspaceagents/azure-instance-identity`). An external attacker can force the Coder server to issue HTTP GET requests to arbitrary internal or…