CWE-918— Server-Side Request Forgery (SSRF)
2,383 active CVEs classified under this weakness category. Sourced from NVD, GHSA, and vendor advisories. Full definition on MITRE →
CVEs classified under CWE-918page 33 of 48
- CVE-2025-29452HIGHCVSS 7.6EG 7.62025-04-17
An issue in Seo Panel 4.11.0 allows a remote attacker to obtain sensitive information via the Proxy Manager component.
- CVE-2025-29453MEDIUMCVSS 6.5EG 6.52025-04-17
An issue in personal-management-system Personal Management System 1.4.65 allows a remote attacker to obtain sensitive information via the my-contacts-settings component.
- CVE-2025-29454MEDIUMCVSS 6.5EG 6.52025-04-17
An issue in personal-management-system Personal Management System 1.4.65 allows a remote attacker to obtain sensitive information via the Upload function.
- CVE-2025-29455MEDIUMCVSS 6.5EG 6.52025-04-17
An issue in personal-management-system Personal Management System 1.4.65 allows a remote attacker to obtain sensitive information via the Travel Ideas" function.
- CVE-2025-29456MEDIUMCVSS 6.5EG 6.52025-04-17
An issue in personal-management-system Personal Management System 1.4.65 allows a remote attacker to obtain sensitive information via the create Notes function.
- CVE-2025-29457HIGHCVSS 7.6EG 7.62025-04-17
An issue in MyBB 1.8.38 allows a remote attacker to obtain sensitive information via the Import a Theme function. NOTE: the Supplier disputes this because of the allowed actions of Board administrators and because of SSRF mitigation.
- CVE-2025-29458HIGHCVSS 7.6EG 7.62025-04-17
An issue in MyBB 1.8.38 allows a remote attacker to obtain sensitive information via the Change Avatar function. NOTE: the Supplier disputes this because of the allowed actions of Board administrators and because of SSRF mitigation.
- CVE-2025-29459HIGHCVSS 7.6EG 7.62025-04-17
An issue in MyBB 1.8.38 allows a remote attacker to obtain sensitive information via the Mail function. NOTE: the Supplier disputes this because of the allowed actions of Board administrators and because of SSRF mitigation.
- CVE-2025-29460HIGHCVSS 7.6EG 7.62025-04-17
An issue in MyBB 1.8.38 allows a remote attacker to obtain sensitive information via the Add Mycode function. NOTE: the Supplier disputes this because of the allowed actions of Board administrators and because of SSRF mitigation.
- CVE-2025-29461HIGHCVSS 7.6EG 7.62025-04-17
An issue in a-blogcms 3.1.15 allows a remote attacker to obtain sensitive information via the /bid/1/admin/entry-edit/ path.
- CVE-2025-29720MEDIUMCVSS 4.8EG 4.82025-04-14
Dify v1.0 was discovered to contain a Server-Side Request Forgery (SSRF) via the component controllers.console.remote_files.RemoteFileUploadApi.
- CVE-2025-2987LOWCVSS 3.8EG 3.82025-04-22
IBM Maximo Asset Management 7.6.1.3 is vulnerable to server-side request forgery (SSRF). This may allow an authenticated attacker to send unauthorized requests from the system, potentially leading to network enumeration or facilitating oth…
- CVE-2025-2997MEDIUMCVSS 6.3EG 6.32025-03-31
A vulnerability was found in zhangyanbo2007 youkefu 4.2.0. It has been classified as critical. Affected is an unknown function of the file /res/url. The manipulation of the argument url leads to server-side request forgery. It is possible …
- CVE-2025-29972CRITICALCVSS 9.9EG 9.92025-05-08
Server-side request forgery (ssrf) in Azure Storage Resource Provider allows an authorized attacker to perform spoofing over a network.
- CVE-2025-30220CRITICALCVSS 9.9EG 9.92025-06-10
GeoServer is an open source server that allows users to share and edit geospatial data. GeoTools Schema class use of Eclipse XSD library to represent schema data structure is vulnerable to XML External Entity (XXE) exploit. This impacts wh…
- CVE-2025-30678MEDIUMCVSS 6.5EG 6.52025-06-17
A Server-side Request Forgery (SSRF) vulnerability in Trend Micro Apex Central (on-premise) modTMSM component could allow an attacker to manipulate certain parameters leading to information disclosure on affected installations.
- CVE-2025-30679MEDIUMCVSS 6.5EG 6.52025-06-17
A Server-side Request Forgery (SSRF) vulnerability in Trend Micro Apex Central (on-premise) modOSCE component could allow an attacker to manipulate certain parameters leading to information disclosure on affected installations.
- CVE-2025-30680HIGHCVSS 7.1EG 7.12025-06-17
A Server-side Request Forgery (SSRF) vulnerability in Trend Micro Apex Central (SaaS) could allow an attacker to manipulate certain parameters leading to information disclosure on affected installations. Please note: this vulnerabilit…
- CVE-2025-30914MEDIUMCVSS 4.4EG 4.42025-03-27
Server-Side Request Forgery (SSRF) vulnerability in Roxnor Metform metform allows Server Side Request Forgery.This issue affects Metform: from n/a through <= 3.9.2.
- CVE-2025-30964MEDIUMCVSS 5.4EG 5.42025-04-15
Server-Side Request Forgery (SSRF) vulnerability in ThemeGoods Photography photography allows Server Side Request Forgery.This issue affects Photography: from n/a through < 7.7.6.
- CVE-2025-30976MEDIUMCVSS 4.9EG 4.92025-06-06
Server-Side Request Forgery (SSRF) vulnerability in wpdive Nexa Blocks nexa-blocks allows Server Side Request Forgery.This issue affects Nexa Blocks: from n/a through <= 1.1.1.
- CVE-2025-30997MEDIUMCVSS 5.4EG 5.42025-06-06
Server-Side Request Forgery (SSRF) vulnerability in SmartDataSoft Car Repair Services car-repair-services allows Server Side Request Forgery.This issue affects Car Repair Services: from n/a through <= 5.0.
- CVE-2025-31009MEDIUMCVSS 5.4EG 5.42025-04-09
Server-Side Request Forgery (SSRF) vulnerability in Jan Boddez IndieBlocks indieblocks allows Server Side Request Forgery.This issue affects IndieBlocks: from n/a through <= 0.13.1.
- CVE-2025-31076MEDIUMCVSS 4.9EG 4.92025-03-28
Server-Side Request Forgery (SSRF) vulnerability in WP Compress WP Compress for MainWP wp-compress-mainwp allows Server Side Request Forgery.This issue affects WP Compress for MainWP: from n/a through <= 6.30.03.
- CVE-2025-31116MEDIUMCVSS 4.4EG 4.42025-03-31
Mobile Security Framework (MobSF) is a pen-testing, malware analysis and security assessment framework capable of performing static and dynamic analysis. The mitigation for CVE-2024-29190 in valid_host() uses socket.gethostbyname(), which …
- CVE-2025-31117HIGHCVSS 7.5EG 7.52025-03-31
OpenEMR is a free and open source electronic health records and medical practice management application. An Out-of-Band Server-Side Request Forgery (OOB SSRF) vulnerability was identified in OpenEMR, allowing an attacker to force the serve…
- CVE-2025-31490HIGHCVSS 7.5EG 7.52025-04-14
AutoGPT is a platform that allows users to create, deploy, and manage continuous artificial intelligence agents that automate complex workflows. Prior to 0.6.1, AutoGPT allows SSRF due to DNS Rebinding in requests wrapper. AutoGPT is built…
- CVE-2025-31527MEDIUMCVSS 6.4EG 6.42025-03-31
Server-Side Request Forgery (SSRF) vulnerability in Kishan WP Link Preview wp-link-preview allows Server Side Request Forgery.This issue affects WP Link Preview: from n/a through <= 1.4.1.
- CVE-2025-31796MEDIUMCVSS 5.4EG 5.42025-04-01
Server-Side Request Forgery (SSRF) vulnerability in TheInnovs ElementsCSS Addons for Elementor css-for-elementor allows Server Side Request Forgery.This issue affects ElementsCSS Addons for Elementor: from n/a through <= 1.0.8.9.
- CVE-2025-31824MEDIUMCVSS 5.4EG 5.42025-04-01
Server-Side Request Forgery (SSRF) vulnerability in Wombat Plugins WP Optin Wheel wp-optin-wheel allows Server Side Request Forgery.This issue affects WP Optin Wheel: from n/a through <= 1.4.7.
- CVE-2025-3192HIGHCVSS 8.2EG 8.22025-04-04
Versions of the package spatie/browsershot from 0.0.0 are vulnerable to Server-side Request Forgery (SSRF) in the setUrl() function due to a missing restriction on user input, enabling attackers to access localhost and list all of its dire…
- CVE-2025-31993LOWCVSS 3.5EG 3.52025-10-12
HCL Unica Centralized Offer Management is vulnerable to a potential Server-Side Request Forgery (SSRF). An attacker can exploit improper input validation by submitting maliciously crafted input to a target application running on a server.
- CVE-2025-32013HIGHCVSS 7.5EG 7.52025-04-06
LNbits is a Lightning wallet and accounts system. A Server-Side Request Forgery (SSRF) vulnerability has been discovered in LNbits' LNURL authentication handling functionality. When processing LNURL authentication requests, the application…
- CVE-2025-32102MEDIUMCVSS 5.0EG 5.02025-04-15
CrushFTP 9.x and 10.x through 10.8.4 and 11.x through 11.3.1 allows SSRF via the host and port parameters in a command=telnetSocket request to the /WebInterface/function/ URI.
- CVE-2025-32355HIGHCVSS 7.3EG 7.32026-02-17
Rocket TRUfusion Enterprise through 7.10.4.0 uses a reverse proxy to handle incoming connections. However, the proxy is misconfigured in a way that allows specifying absolute URLs in the HTTP request line, causing the proxy to load the giv…
- CVE-2025-32358MEDIUMCVSS 4.0EG 4.02025-04-05
In Zammad 6.4.x before 6.4.2, SSRF can occur. Authenticated admin users can enable webhooks in Zammad, which are triggered as POST requests when certain conditions are met. If a webhook endpoint returned a redirect response, Zammad would f…
- CVE-2025-32372MEDIUMCVSS 6.5EG 6.52025-04-09
DNN (formerly DotNetNuke) is an open-source web content management platform (CMS) in the Microsoft ecosystem. A bypass has been identified for the previously known vulnerability CVE-2017-0929, allowing unauthenticated attackers to execute …
- CVE-2025-32487MEDIUMCVSS 4.9EG 4.92025-04-09
Server-Side Request Forgery (SSRF) vulnerability in Joe Waymark waymark allows Server Side Request Forgery.This issue affects Waymark: from n/a through <= 1.5.2.
- CVE-2025-3254MEDIUMCVSS 6.3EG 6.32025-04-04
A vulnerability was found in xujiangfei admintwo 1.0. It has been classified as critical. Affected is an unknown function of the file /resource/add. The manipulation of the argument description leads to server-side request forgery. It is p…
- CVE-2025-32675MEDIUMCVSS 6.8EG 6.82025-04-09
Server-Side Request Forgery (SSRF) vulnerability in QuantumCloud SEO Help seo-help allows Server Side Request Forgery.This issue affects SEO Help: from n/a through <= 6.7.9.
- CVE-2025-32691MEDIUMCVSS 4.9EG 4.92025-04-09
Server-Side Request Forgery (SSRF) vulnerability in blubrry PowerPress Podcasting powerpress allows Server Side Request Forgery.This issue affects PowerPress Podcasting: from n/a through <= 11.12.6.
- CVE-2025-33203HIGHCVSS 7.6EG 7.62025-11-25
NVIDIA NeMo Agent Toolkit UI for Web contains a vulnerability in the chat API endpoint where an attacker may cause a Server-Side Request Forgery. A successful exploit of this vulnerability may lead to information disclosure and denial of s…
- CVE-2025-34021HIGHCVSS 7.8EG 0.02025-06-20
A server-side request forgery (SSRF) vulnerability exists in multiple Selea Targa IP OCR-ANPR camera models, including iZero, Targa 512, Targa 504, Targa Semplice, Targa 704 TKM, Targa 805, Targa 710 INOX, Targa 750, and Targa 704 ILB. The…
- CVE-2025-34051MEDIUMCVSS 6.9EG 0.02025-07-01
A server-side request forgery vulnerability exists in multiple firmware versions of AVTECH DVR devices that exposes the /cgi-bin/nobody/Search.cgi?action=cgi_query endpoint without authentication. An attacker can manipulate the ip, port, a…
- CVE-2025-3411MEDIUMCVSS 6.3EG 6.32025-04-08
A vulnerability, which was classified as critical, has been found in mymagicpower AIAS 20250308. This issue affects some unknown processing of the file 3_api_platform/api-platform/src/main/java/top/aias/platform/controller/AsrController.ja…
- CVE-2025-3412MEDIUMCVSS 6.3EG 6.32025-04-08
A vulnerability, which was classified as critical, was found in mymagicpower AIAS 20250308. Affected is an unknown function of the file 2_training_platform/train-platform/src/main/java/top/aias/training/controller/InferController.java. The…
- CVE-2025-34225HIGHCVSS 8.6EG 8.62025-09-29
Vasion Print (formerly PrinterLogic) Virtual Appliance Host prior to version 25.1.102 and Application prior to version 25.1.1413 (VA/SaaS deployments) contain a server-side request forgery (SSRF) vulnerability. The `console_release` dire…
- CVE-2025-34228HIGHCVSS 8.6EG 8.62025-09-29
Vasion Print (formerly PrinterLogic) Virtual Appliance Host prior to version 25.1.102 and Application prior to version 25.1.1413 (VA/SaaS deployments) contain a server-side request forgery (SSRF) vulnerability. The `/var/www/app/console_…
- CVE-2025-34229MEDIUMCVSS 5.8EG 5.82025-09-29
Vasion Print (formerly PrinterLogic) Virtual Appliance Host prior to version 25.1.102 and Application prior to version 25.1.1413 (VA/SaaS deployments) contain a blind server-side request forgery (SSRF) vulnerability reachable via the /v…
- CVE-2025-34230MEDIUMCVSS 5.8EG 5.82025-09-29
Vasion Print (formerly PrinterLogic) Virtual Appliance Host prior to version 25.1.102 and Application prior to version 25.1.1413 (VA/SaaS deployments) contain a blind server-side request forgery (SSRF) vulnerability reachable via the /var/…
Map vulnerabilities like CWE-918 to your infrastructure
EchelonGraph correlates every CVE — across CWE-918 and 150+ other weakness categories — against the assets you actually run. See blast radius, fix versions, and remediation steps in one graph.
Start Free Scan →