CWE-918— Server-Side Request Forgery (SSRF)
2,382 active CVEs classified under this weakness category. Sourced from NVD, GHSA, and vendor advisories. Full definition on MITRE →
CVEs classified under CWE-918page 28 of 48
- CVE-2024-5186HIGHCVSS 7.2EG 8.32024-06-06
A Server-Side Request Forgery (SSRF) vulnerability exists in the file upload section of imartinez/privategpt version 0.5.0. This vulnerability allows attackers to send crafted requests that could result in unauthorized access to the local …
- CVE-2024-51980MEDIUMCVSS 5.3EG 5.32025-06-25
An unauthenticated attacker may perform a limited server side request forgery (SSRF), forcing the target device to open a TCP connection to an arbitrary port number on an arbitrary IP address. This SSRF leverages the WS-Addressing ReplyTo …
- CVE-2024-51981MEDIUMCVSS 5.3EG 5.32025-06-25
An unauthenticated attacker may perform a blind server side request forgery (SSRF), due to a CLRF injection issue that can be leveraged to perform HTTP request smuggling. This SSRF leverages the WS-Addressing feature used during a WS-Event…
- CVE-2024-52579MEDIUMCVSS 6.4EG 6.42024-12-18
Misskey is an open source, federated social media platform. Some APIs using `HttpRequestService` do not properly check the target host. This vulnerability allows an attacker to send POST or GET requests to the internal server, which may re…
- CVE-2024-52588MEDIUMCVSS 4.9EG 4.92025-05-29
Strapi is an open-source content management system. Prior to version 4.25.2, inputting a local domain into the Webhooks URL field leads to the application fetching itself, resulting in a server side request forgery (SSRF). This issue has b…
- CVE-2024-52594MEDIUMCVSS 4.3EG 4.32025-01-16
Gomatrixserverlib is a Go library for matrix federation. Gomatrixserverlib is vulnerable to server-side request forgery, serving content from a private network it can access, under certain conditions. The commit `c4f1e01` fixes this issue.…
- CVE-2024-52598HIGHCVSS 7.5EG 7.52024-11-20
2FAuth is a web app to manage Two-Factor Authentication (2FA) accounts and generate their security codes. Two interconnected vulnerabilities exist in version 5.4.1 a SSRF and URI validation bypass issue. The endpoint at POST /api/v1/twofac…
- CVE-2024-52602MEDIUMCVSS 5.0EG 5.02025-01-16
Matrix Media Repo (MMR) is a highly configurable multi-homeserver media repository for Matrix. Matrix Media Repo (MMR) is vulnerable to server-side request forgery, serving content from a private network it can access, under certain condit…
- CVE-2024-52606LOWCVSS 3.5EG 3.52025-02-11
SolarWinds Platform is affected by server-side request forgery vulnerability. Proper input sanitation was not applied allowing for the possibility of a malicious web request.
- CVE-2024-5328CRITICALCVSS 9.3EG 8.62024-06-06
A Server-Side Request Forgery (SSRF) vulnerability exists in the lunary-ai/lunary application, specifically within the endpoint '/auth/saml/tto/download-idp-xml'. The vulnerability arises due to the application's failure to validate user-s…
- CVE-2024-53696MEDIUMCVSS 4.9EG 4.92025-03-07
A server-side request forgery (SSRF) vulnerability has been reported to affect QuLog Center. If exploited, the vulnerability could allow remote attackers who have gained administrator access to read application data. We have already fixed…
- CVE-2024-53705HIGHCVSS 7.5EG 7.52025-01-09
A Server-Side Request Forgery vulnerability in the SonicOS SSH management interface allows a remote attacker to establish a TCP connection to an IP address on any port when the user is logged in to the firewall.
- CVE-2024-53738MEDIUMCVSS 4.4EG 4.42024-11-30
Server-Side Request Forgery (SSRF) vulnerability in Gabe Livan Asset CleanUp: Page Speed Booster wp-asset-clean-up allows Server Side Request Forgery.This issue affects Asset CleanUp: Page Speed Booster: from n/a through <= 1.3.9.8.
- CVE-2024-53983MEDIUMCVSS 5.4EG 5.42024-11-29
The Backstage Scaffolder plugin Houses types and utilities for building scaffolder-related modules. A vulnerability is identified in Backstage Scaffolder template functionality where Server-Side Template Injection (SSTI) can be exploited t…
- CVE-2024-54000HIGHCVSS 7.5EG 7.52024-12-03
Mobile Security Framework (MobSF) is a pen-testing, malware analysis and security assessment framework capable of performing static and dynamic analysis. In versions prior to 3.9.7, the requests.get() request in the _check_url method is sp…
- CVE-2024-54197HIGHCVSS 7.2EG 7.22024-12-10
SAP NetWeaver Administrator(System Overview) allows an authenticated attacker to enumerate accessible HTTP endpoints in the internal network by specially crafting HTTP requests. On successful exploitation this can result in Server-Side Req…
- CVE-2024-54330HIGHCVSS 7.2EG 7.22024-12-13
Server-Side Request Forgery (SSRF) vulnerability in hurraki Hurrakify hurrakify allows Server Side Request Forgery.This issue affects Hurrakify: from n/a through <= 2.4.
- CVE-2024-54385HIGHCVSS 7.2EG 7.22024-12-16
Server-Side Request Forgery (SSRF) vulnerability in princeahmed Radio Player radio-player allows Server Side Request Forgery.This issue affects Radio Player: from n/a through <= 2.0.83.
- CVE-2024-54819CRITICALCVSS 9.1EG 9.12025-01-07
I, Librarian before and including 5.11.1 is vulnerable to Server-Side Request Forgery (SSRF) due to improper input validation in classes/security/validation.php
- CVE-2024-5482CRITICALCVSS 9.8EG 7.42024-06-06
A Server-Side Request Forgery (SSRF) vulnerability exists in the 'add_webpage' endpoint of the parisneo/lollms-webui application, affecting the latest version. The vulnerability arises because the application does not adequately validate U…
- CVE-2024-55082HIGHCVSS 7.5EG 7.52024-12-19
A Server-Side Request Forgery (SSRF) in the endpoint http://{your-server}/url-to-pdf of Stirling-PDF 0.35.1 allows attackers to access sensitive information via a crafted request.
- CVE-2024-55086HIGHCVSS 7.2EG 7.22024-12-18
In the GetSimple CMS CE 3.3.19 management page, Server-Side Request Forgery (SSRF) can be achieved in the plug-in download address in the backend management system.
- CVE-2024-55089MEDIUMCVSS 4.1EG 9.12024-12-18
Rhymix before 2.1.24 is vulnerable to Server-Side Request Forgery (SSRF) in the background import data function because XML documents may contain external entities.
- CVE-2024-5526HIGHCVSS 7.7EG 7.72024-06-05
Grafana OnCall is an easy-to-use on-call management tool that will help reduce toil in on-call management through simpler workflows and interfaces that are tailored specifically for engineers. Grafana OnCall, from version 1.1.37 before 1.…
- CVE-2024-55399MEDIUMCVSS 6.5EG 6.52025-08-06
4C Strategies Exonaut before v21.6.2.1-1 was discovered to contain a Server-Side Request Forgery (SSRF).
- CVE-2024-55875CRITICALCVSS 9.8EG 9.82024-12-12
http4k is a functional toolkit for Kotlin HTTP applications. Prior to version 5.41.0.0, there is a potential XXE (XML External Entity Injection) vulnerability when http4k handling malicious XML contents within requests, which might allow a…
- CVE-2024-55910MEDIUMCVSS 6.5EG 6.52025-05-02
IBM Concert Software 1.0.0 through 1.0.5 is vulnerable to server-side request forgery (SSRF). This may allow an authenticated attacker to send unauthorized requests from the system, potentially leading to network enumeration or facilitatin…
- CVE-2024-56275MEDIUMCVSS 4.1EG 4.12025-01-07
Server-Side Request Forgery (SSRF) vulnerability in Envato Envato Elements allows Server Side Request Forgery.This issue affects Envato Elements: from n/a through 2.0.14.
- CVE-2024-56279MEDIUMCVSS 6.4EG 6.42025-01-07
Server-Side Request Forgery (SSRF) vulnerability in mra13 Compact WP Audio Player compact-wp-audio-player allows Server Side Request Forgery.This issue affects Compact WP Audio Player: from n/a through <= 1.9.14.
- CVE-2024-56470MEDIUMCVSS 5.4EG 5.42025-02-05
IBM Aspera Shares 1.9.0 through 1.10.0 PL6 is vulnerable to server-side request forgery (SSRF). This may allow an authenticated attacker to send unauthorized requests from the system, potentially leading to network enumeration or facilit…
- CVE-2024-56471MEDIUMCVSS 5.4EG 5.42025-02-05
IBM Aspera Shares 1.9.0 through 1.10.0 PL6 is vulnerable to server-side request forgery (SSRF). This may allow an authenticated attacker to send unauthorized requests from the system, potentially leading to network enumeration or facilit…
- CVE-2024-56736MEDIUMCVSS 6.5EG 6.52025-04-16
Server-Side Request Forgery (SSRF) vulnerability in Apache HertzBeat. This issue affects Apache HertzBeat (incubating): before 1.7.0. Users are recommended to upgrade to version 1.7.0, which fixes the issue.
- CVE-2024-56800HIGHCVSS 7.4EG 7.42024-12-30
Firecrawl is a web scraper that allows users to extract the content of a webpage for a large language model. Versions prior to 1.1.1 contain a server-side request forgery (SSRF) vulnerability. The scraping engine could be exploited by craf…
- CVE-2024-57252MEDIUMCVSS 4.3EG 4.32025-01-17
OtCMS <=V7.46 is vulnerable to Server-Side Request Forgery (SSRF) in /admin/read.php, which can Read system files arbitrarily.
- CVE-2024-5736HIGHCVSS 7.5EG 7.52024-06-28
Server Side Request Forgery (SSRF) vulnerability in AdmirorFrames Joomla! extension in afGdStream.php script allows to access local files or server pages available only from localhost. This issue affects AdmirorFrames: before 5.0.
- CVE-2024-5746HIGHCVSS 7.6EG 7.62024-06-20
A Server-Side Request Forgery vulnerability was identified in GitHub Enterprise Server that allowed an attacker with the Site Administrator role to gain arbitrary code execution capability on the GitHub Enterprise Server instance. Exploita…
- CVE-2024-57767HIGHCVSS 8.6EG 8.62025-01-15
MSFM before v2025.01.01 was discovered to contain a Server-Side Request Forgery (SSRF) via the component /file/download.
- CVE-2024-5822CRITICALCVSS 9.8EG 7.32024-06-27
A Server-Side Request Forgery (SSRF) vulnerability exists in the upload processing interface of gaizhenbiao/ChuanhuChatGPT versions <= ChuanhuChatGPT-20240410-git.zip. This vulnerability allows attackers to send crafted requests from the v…
- CVE-2024-5885HIGHCVSS 8.6EG 8.62024-06-27
stangirard/quivr version 0.0.236 contains a Server-Side Request Forgery (SSRF) vulnerability. The application does not provide sufficient controls when crawling a website, allowing an attacker to access applications on the local network. T…
- CVE-2024-5917MEDIUMCVSS 4.9EG 4.92024-11-14
A server-side request forgery in PAN-OS software enables an authenticated attacker with administrative privileges to use the administrative web interface as a proxy, which enables the attacker to view internal network resources not otherwi…
- CVE-2024-6095MEDIUMCVSS 5.8EG 5.82024-07-06
A vulnerability in the /models/apply endpoint of mudler/localai versions 2.15.0 allows for Server-Side Request Forgery (SSRF) and partial Local File Inclusion (LFI). The endpoint supports both http(s):// and file:// schemes, where the latt…
- CVE-2024-6155MEDIUMCVSS 6.4EG 6.42025-01-09
The Greenshift – animation and page builder blocks plugin for WordPress is vulnerable to Authenticated (Subscriber+) Server-Side Request Forgery and Stored Cross Site Scripting in all versions up to, and including, 9.0.0 due to a missing…
- CVE-2024-6424CRITICALCVSS 9.3EG 9.32024-07-01
External server-side request vulnerability in MESbook 20221021.03 version, which could allow a remote, unauthenticated attacker to exploit the endpoint "/api/Proxy/Post?userName=&password=&uri=<FILE|INTERNAL URL|IP/HOST" or "/api/Proxy/Get…
- CVE-2024-6522HIGHCVSS 8.5EG 8.52024-08-07
The Modern Events Calendar plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 7.12.1 via the 'mec_fes_form' AJAX function. This makes it possible for authenticated attackers, with Subscr…
- CVE-2024-6524MEDIUMCVSS 5.5EG 5.52024-07-05
A vulnerability was found in ShopXO up to 6.1.0. It has been declared as critical. Affected by this vulnerability is an unknown functionality of the file extend/base/Uploader.php. The manipulation of the argument source leads to server-sid…
- CVE-2024-6538MEDIUMCVSS 5.3EG 5.32024-11-25
A flaw was found in OpenShift Console. A Server Side Request Forgery (SSRF) attack can happen if an attacker supplies all or part of a URL to the server to query. The server is considered to be in a privileged network position and can ofte…
- CVE-2024-6584CRITICALCVSS 9.1EG 9.12025-05-15
The 'wp_ajax_boost_proxy_ig' action allows administrators to make GET requests to arbitrary URLs.
- CVE-2024-6587HIGHCVSS 7.5EG 7.52024-09-13
A Server-Side Request Forgery (SSRF) vulnerability exists in berriai/litellm version 1.38.10. This vulnerability allows users to specify the `api_base` parameter when making requests to `POST /chat/completions`, causing the application to …
- CVE-2024-6784CRITICALCVSS 9.9EG 9.92024-12-05
Server-Side Request Forgery vulnerabilities were found providing a potential for access to unauthorized resources and unintended information disclosure. Affected products: ABB ASPECT - Enterprise v3.08.02; NEXUS Series v3.08.02; MATR…
- CVE-2024-6922MEDIUMCVSS 6.9EG 0.02024-07-26
Automation Anywhere Automation 360 v21-v32 is vulnerable to Server-Side Request Forgery in a web API component. An attacker with unauthenticated access to the Automation 360 Control Room HTTPS service (port 443) or HTTP service (port 80) c…
Map vulnerabilities like CWE-918 to your infrastructure
EchelonGraph correlates every CVE — across CWE-918 and 150+ other weakness categories — against the assets you actually run. See blast radius, fix versions, and remediation steps in one graph.
Start Free Scan →