CWE-918— Server-Side Request Forgery (SSRF)
2,382 active CVEs classified under this weakness category. Sourced from NVD, GHSA, and vendor advisories. Full definition on MITRE →
CVEs classified under CWE-918page 24 of 48
- CVE-2024-29029MEDIUMCVSS 6.1EG 6.12024-04-19
memos is a privacy-first, lightweight note-taking service. In memos 0.13.2, an SSRF vulnerability exists at the /o/get/image that allows unauthenticated users to enumerate the internal network and retrieve images. The response from the ima…
- CVE-2024-29030MEDIUMCVSS 5.8EG 5.82024-04-19
memos is a privacy-first, lightweight note-taking service. In memos 0.13.2, an SSRF vulnerability exists at the /api/resource that allows authenticated users to enumerate the internal network. Version 0.22.0 of memos removes the vulnerable…
- CVE-2024-29035MEDIUMCVSS 4.1EG 4.12024-04-17
Umbraco is an ASP.NET CMS. Failing webhooks logs are available when solution is not in debug mode. Those logs can contain information that is critical. This vulnerability is fixed in 13.1.1.
- CVE-2024-29090MEDIUMCVSS 6.8EG 6.82024-03-28
Server-Side Request Forgery (SSRF) vulnerability in Jordy Meow AI Engine: ChatGPT Chatbot.This issue affects AI Engine: ChatGPT Chatbot: from n/a through 2.1.4.
- CVE-2024-29173MEDIUMCVSS 6.8EG 6.82024-06-26
Dell PowerProtect DD, versions prior to 8.0, LTS 7.13.1.0, LTS 7.10.1.30, LTS 7.7.5.40 contain a Server-Side Request Forgery (SSRF) vulnerability. A remote high privileged attacker could potentially exploit this vulnerability, leading to d…
- CVE-2024-29190HIGHCVSS 7.5EG 7.52024-03-22
Mobile Security Framework (MobSF) is a pen-testing, malware analysis and security assessment framework capable of performing static and dynamic analysis. In version 3.9.5 Beta and prior, MobSF does not perform any input validation when ext…
- CVE-2024-29198HIGHCVSS 7.5EG 7.52025-06-10
GeoServer is an open source software server written in Java that allows users to share and edit geospatial data. It possible to achieve Service Side Request Forgery (SSRF) via the Demo request endpoint if Proxy Base URL has not been set. U…
- CVE-2024-29319CRITICALCVSS 9.8EG 9.82024-07-05
Volmarg Personal Management System 1.4.64 is vulnerable to SSRF (Server Side Request Forgery) via uploading a SVG file. The server can make unintended HTTP and DNS requests to a server that the attacker controls.
- CVE-2024-29415HIGHCVSS 8.1EG 8.12024-05-27
The ip package through 2.0.1 for Node.js might allow SSRF because some IP addresses (such as 127.1, 01200034567, 012.1.2.3, 000:0:0000::01, and ::fFFf:127.0.0.1) are improperly categorized as globally routable via isPublic. NOTE: this issu…
- CVE-2024-29736CRITICALCVSS 9.1EG 9.12024-07-19
A SSRF vulnerability in WADL service description in versions of Apache CXF before 4.0.5, 3.6.4 and 3.5.9 allows an attacker to perform SSRF style attacks on REST webservices. The attack only applies if a custom stylesheet parameter is conf…
- CVE-2024-30125MEDIUMCVSS 6.2EG 6.22024-07-18
HCL BigFix Compliance server can respond with an HTTP status of 500, indicating a server-side error that may cause the server process to die.
- CVE-2024-30150MEDIUMCVSS 5.3EG 5.32025-02-25
HCL MyCloud is affected by Improper Access Control - an unauthenticated privilege escalation vulnerability which may lead to information disclosure and potential for Server-Side Request Forgery (SSRF) and Denial of Service(DOS) attacks fro…
- CVE-2024-30256MEDIUMCVSS 6.4EG 6.42024-04-16
Open WebUI is a user-friendly WebUI for LLMs. Open-webui is vulnerable to authenticated blind server-side request forgery. This vulnerability is fixed in 0.1.117.
- CVE-2024-30420MEDIUMCVSS 4.4EG 4.42024-05-22
Server-side request forgery (SSRF) vulnerability exists in a-blog cms Ver.3.1.x series versions prior to Ver.3.1.12 and Ver.3.0.x series versions prior to Ver.3.0.32. If this vulnerability is exploited, a user with an administrator or high…
- CVE-2024-30453MEDIUMCVSS 5.4EG 5.42024-03-29
Server-Side Request Forgery (SSRF) vulnerability in Brave Brave Popup Builder.This issue affects Brave Popup Builder: from n/a through 0.6.5.
- CVE-2024-3047HIGHCVSS 7.2EG 7.22024-05-02
The PDF Invoices & Packing Slips for WooCommerce plugin for WordPress is vulnerable to Server-Side Request Forgery in versions up to, and including, 3.8.0 via the transform() function. This can allow unauthenticated attackers to make web r…
- CVE-2024-30531MEDIUMCVSS 4.9EG 4.92024-04-02
Server-Side Request Forgery (SSRF) vulnerability in Nelio Software Nelio Content.This issue affects Nelio Content: from n/a through 3.2.0.
- CVE-2024-30532MEDIUMCVSS 4.9EG 4.92024-04-02
Server-Side Request Forgery (SSRF) vulnerability in Builderall Team Builderall Builder for WordPress.This issue affects Builderall Builder for WordPress: from n/a through 2.0.1.
- CVE-2024-3095HIGHCVSS 7.7EG 7.72024-06-06
A Server-Side Request Forgery (SSRF) vulnerability exists in the Web Research Retriever component of langchain-ai/langchain version 0.1.5. The vulnerability arises because the Web Research Retriever does not restrict requests to remote int…
- CVE-2024-31215MEDIUMCVSS 6.3EG 6.32024-04-04
Mobile Security Framework (MobSF) is a security research platform for mobile applications in Android, iOS and Windows Mobile. A SSRF vulnerability in firebase database check logic. The attacker can cause the server to make a connection to …
- CVE-2024-31229MEDIUMCVSS 5.5EG 5.52024-04-18
Server-Side Request Forgery (SSRF) vulnerability in Really Simple Plugins Really Simple SSL.This issue affects Really Simple SSL: from n/a through 7.2.3.
- CVE-2024-31288HIGHCVSS 7.2EG 7.22024-04-07
Server-Side Request Forgery (SSRF) vulnerability in RapidLoad RapidLoad Power-Up for Autoptimize.This issue affects RapidLoad Power-Up for Autoptimize: from n/a through 2.2.11.
- CVE-2024-31461CRITICALCVSS 9.1EG 9.12024-04-10
Plane, an open-source project management tool, has a Server-Side Request Forgery (SSRF) vulnerability in versions prior to 0.17-dev. This issue may allow an attacker to send arbitrary requests from the server hosting the application, poten…
- CVE-2024-3149HIGHCVSS 8.8EG 9.62024-06-06
A Server-Side Request Forgery (SSRF) vulnerability exists in the upload link feature of mintplex-labs/anything-llm. This feature, intended for users with manager or admin roles, processes uploaded links through an internal Collector API us…
- CVE-2024-3152HIGHCVSS 8.8EG 8.82024-06-06
mintplex-labs/anything-llm is vulnerable to multiple security issues due to improper input validation in several endpoints. An attacker can exploit these vulnerabilities to escalate privileges from a default user role to an admin role, rea…
- CVE-2024-31897MEDIUMCVSS 4.3EG 4.32024-07-08
IBM Cloud Pak for Business Automation 18.0.0, 18.0.1, 18.0.2, 19.0.1, 19.0.2, 19.0.3, 20.0.1, 20.0.2, 20.0.3, 21.0.1, 21.0.2, 21.0.3, 22.0.1, 22.0.2, 23.0.1, and 23.0.2 vulnerable to server-side request forgery (SSRF). This may allow an au…
- CVE-2024-31979MEDIUMCVSS 4.3EG 4.32024-07-17
Server-Side Request Forgery (SSRF) vulnerability in Apache StreamPipes during installation process of pipeline elements. Previously, StreamPipes allowed users to configure custom endpoints from which to install additional pipeline elements…
- CVE-2024-31991MEDIUMCVSS 4.1EG 4.12024-04-19
Mealie is a self hosted recipe manager and meal planner. Prior to 1.4.0, the safe_scrape_html function utilizes a user-controlled URL to issue a request to a remote server. Based on the content of the response, it will either parse the con…
- CVE-2024-31993MEDIUMCVSS 6.2EG 6.22024-04-19
Mealie is a self hosted recipe manager and meal planner. Prior to 1.4.0, the scrape_image function will retrieve an image based on a user-provided URL, however the provided URL is not validated to point to an external location and does not…
- CVE-2024-32407HIGHCVSS 8.8EG 8.82024-04-22
An issue in inducer relate before v.2024.1 allows a remote attacker to execute arbitrary code via a crafted payload to the Page Sandbox feature.
- CVE-2024-32430MEDIUMCVSS 4.4EG 4.42024-04-15
Server-Side Request Forgery (SSRF) vulnerability in ActiveCampaign.This issue affects ActiveCampaign: from n/a through 8.1.14.
- CVE-2024-32454MEDIUMCVSS 4.4EG 4.42024-04-15
Server-Side Request Forgery (SSRF) vulnerability in Wappointment Appointment Bookings for Zoom GoogleMeet and more – Wappointment.This issue affects Appointment Bookings for Zoom GoogleMeet and more – Wappointment: from n/a through 2.6…
- CVE-2024-32718MEDIUMCVSS 4.9EG 4.92024-04-24
Server-Side Request Forgery (SSRF) vulnerability in Webangon The Pack Elementor.This issue affects The Pack Elementor addons: from n/a through 2.0.8.2.
- CVE-2024-32775MEDIUMCVSS 4.9EG 4.92024-04-24
Server-Side Request Forgery (SSRF) vulnerability in Pavex Embed Google Photos album.This issue affects Embed Google Photos album: from n/a through 2.1.9.
- CVE-2024-32803MEDIUMCVSS 6.4EG 6.42024-04-24
Server-Side Request Forgery (SSRF) vulnerability in 2day.Sk, Webikon SuperFaktura WooCommerce.This issue affects SuperFaktura WooCommerce: from n/a through 1.40.3.
- CVE-2024-32812MEDIUMCVSS 5.4EG 5.42024-04-24
Server-Side Request Forgery (SSRF) vulnerability in Podlove Podlove Podcast Publisher.This issue affects Podlove Podcast Publisher: from n/a through 4.0.11.
- CVE-2024-32819MEDIUMCVSS 4.9EG 4.92024-04-24
Server-Side Request Forgery (SSRF) vulnerability in Culqi.This issue affects Culqi: from n/a through 3.0.14.
- CVE-2024-32955MEDIUMCVSS 4.9EG 4.92024-04-24
Server-Side Request Forgery (SSRF) vulnerability in Foliovision FV Flowplayer Video Player.This issue affects FV Flowplayer Video Player: from n/a through 7.5.43.7212.
- CVE-2024-32964CRITICALCVSS 9.0EG 9.02024-05-14
Lobe Chat is a chatbot framework that supports speech synthesis, multimodal, and extensible Function Call plugin system. Prior to 0.150.6, lobe-chat had an unauthorized Server-Side Request Forgery vulnerability in the /api/proxy endpoint. …
- CVE-2024-32965HIGHCVSS 8.1EG 8.12024-11-26
Lobe Chat is an open-source, AI chat framework. Versions of lobe-chat prior to 1.19.13 have an unauthorized ssrf vulnerability. An attacker can construct malicious requests to cause SSRF without logging in, attack intranet services, and le…
- CVE-2024-32987HIGHCVSS 7.5EG 7.52024-07-09
Microsoft SharePoint Server Information Disclosure Vulnerability
- CVE-2024-33117MEDIUMCVSS 5.3EG 5.32024-05-06
crmeb_java v1.3.4 was discovered to contain a Server-Side Request Forgery (SSRF) via the mergeList method in class com.zbkj.front.pub.ImageMergeController.
- CVE-2024-33250HIGHCVSS 7.2EG 7.22024-05-14
An issue in Open-Source Technology Committee SRS real-time video server RS/4.0.268(Leo) and SRS/4.0.195(Leo) allows a remote attacker to execute arbitrary code via a crafted request.
- CVE-2024-33590MEDIUMCVSS 5.0EG 5.02024-04-29
Server-Side Request Forgery (SSRF) vulnerability in codeSavory Knowledge Base documentation & wiki plugin – BasePress.This issue affects Knowledge Base documentation & wiki plugin – BasePress: from n/a through 2.16.1.
- CVE-2024-33592MEDIUMCVSS 5.4EG 5.42024-04-25
Server-Side Request Forgery (SSRF) vulnerability in SoftLab Radio Player.This issue affects Radio Player: from n/a through 2.0.73.
- CVE-2024-33627MEDIUMCVSS 4.4EG 4.42024-04-29
Server-Side Request Forgery (SSRF) vulnerability in Cusmin Absolutely Glamorous Custom Admin.This issue affects Absolutely Glamorous Custom Admin: from n/a through 7.2.2.
- CVE-2024-33629MEDIUMCVSS 4.4EG 4.42024-04-29
Server-Side Request Forgery (SSRF) vulnerability in Creative Motion Auto Featured Image (Auto Post Thumbnail).This issue affects Auto Featured Image (Auto Post Thumbnail): from n/a through 4.0.0.
- CVE-2024-33634MEDIUMCVSS 5.4EG 5.42024-04-29
Server-Side Request Forgery (SSRF) vulnerability in Piotnet Piotnet Addons For Elementor Pro.This issue affects Piotnet Addons For Elementor Pro: from n/a through 7.1.17.
- CVE-2024-33832MEDIUMCVSS 6.3EG 6.32024-04-30
OneNav v0.9.35-20240318 was discovered to contain a Server-Side Request Forgery (SSRF) via the component /index.php?c=api&method=get_link_info.
- CVE-2024-33857CRITICALCVSS 9.6EG 9.62024-05-07
An issue was discovered in Logpoint before 7.4.0. Due to a lack of input validation on URLs in threat intelligence, an attacker with low-level access to the system can trigger Server Side Request Forgery.
Map vulnerabilities like CWE-918 to your infrastructure
EchelonGraph correlates every CVE — across CWE-918 and 150+ other weakness categories — against the assets you actually run. See blast radius, fix versions, and remediation steps in one graph.
Start Free Scan →