Skip to main content

CWE-918

Server-Side Request Forgery (SSRF)

2427 CVEs Avg CVSS 6.6 MITRE
338
CRITICAL
752
HIGH
1108
MEDIUM
223
LOW
774
POC
20
KEV

Monthly

CVE-2026-58196 Go LOW POC PATCH GHSA Monitor

Server-Side Request Forgery in ToolHive's host-side authentication discovery flow allows a malicious or compromised remote MCP server to force the ToolHive host process to issue arbitrary internal HTTP GET requests with redirect following and no address filtering, bypassing the container isolation that ToolHive is architecturally designed to enforce. Affected versions include all releases through v0.29.3 (commit b672d82f confirmed 2026-06-14); the fix is available in v0.31.0. A publicly reproducible proof-of-concept with recording exists demonstrating retrieval of cloud instance metadata via AWS IMDSv1 redirect; no CISA KEV listing is present, but the exploit is fully operationalized without special infrastructure on any deployment with IMDSv1 enabled.

SSRF
NVD GitHub
CVSS 3.1
4.7
CVE-2026-54452 Go MEDIUM PATCH GHSA This Month

SSRF protection bypass in the Doyensec safeurl Go library (versions prior to 0.2.4) allows network requests to four newly standardized IPv6 CIDR ranges that were absent from the library's internal blocklist. Applications that explicitly enable IPv6 via EnableIPv6(true) and rely on safeurl to enforce SSRF controls are exposed; attackers who can supply attacker-controlled URLs to such applications may reach internal resources hosted on NAT64 local-use (64:ff9b:1::/48), SRv6 SID (5f00::/16), documentation (3fff::/20), or Dummy IPv6 (100:0:0:1::/64) address space. No public exploit code or CISA KEV listing has been identified at time of analysis.

SSRF
NVD GitHub
CVE-2026-54450 Go LOW POC PATCH GHSA Monitor

ToolHive's hand-maintained SSRF guard (`networking.IsPrivateIP`) omits IPv6 NAT64 prefixes `64:ff9b::/96` (RFC 6052) and `64:ff9b:1::/48` (RFC 8215), allowing addresses like `64:ff9b:1::a9fe:a9fe` - the NAT64 encoding of the cloud metadata endpoint `169.254.169.254` - to be misclassified as globally routable and pass unchecked. On ToolHive deployments behind a NAT64/DNS64 gateway (the default in IPv6-only Kubernetes clusters and several IPv6-only cloud environments), an unauthenticated attacker can submit a crafted OAuth `client_id` URL that causes ToolHive's CIMD fetcher to dial internal or link-local addresses the guard is intended to block, achieving a blind internal-reachability oracle. Practical impact is limited to TCP/TLS connection probing rather than credential exfiltration due to HTTPS-only enforcement and TLS verification on the attacker-controlled path; a complete proof-of-concept is publicly available in the vendor advisory, and no public exploit identified at time of analysis as a KEV-listed active campaign.

Kubernetes Microsoft SSRF Oracle
NVD GitHub
CVE-2026-53446 MEDIUM This Month

Server-side request forgery in Wekan's webhook integration feature allows board administrators to register malicious webhook URLs that the Wekan server later fetches without private-network validation, enabling unauthorized access to internal services and cloud metadata endpoints. All Wekan deployments prior to version 9.32 are affected; the root cause is that the existing validateAttachmentUrl() guard present in models/lib/attachmentUrlValidation.js was never wired into the webhook creation and update API paths. No public exploit has been identified and this is not listed in CISA KEV, but cloud-hosted Wekan instances face meaningful credential theft risk via cloud metadata service access.

SSRF Wekan
NVD GitHub
CVSS 4.0
6.2
CVE-2026-15746 MEDIUM PATCH This Month

Server-side request forgery in the strands-agents-tools elasticsearch_memory tool enables prompt-injection attacks that exfiltrate the operator's Elasticsearch API key to attacker-controlled infrastructure. Applications using strands-agents-tools prior to 0.7.0 that rely on the ELASTICSEARCH_API_KEY environment-variable fallback - rather than explicitly passing api_key - are exposed to credential theft when an attacker can influence LLM input. No public exploit code or CISA KEV listing has been identified at time of analysis, but the prompt-injection-to-SSRF primitive is well understood in the AI agent security community and the credential-theft impact warrants prompt remediation.

Python SSRF Elastic Strands Agents Tools
NVD GitHub
CVSS 4.0
6.9
CVE-2026-54494 PHP MEDIUM POC PATCH GHSA This Month

Full-read SSRF in Koel's podcast subscription feature allows any authenticated user to coerce the server into fetching internal HTTP endpoints - including cloud instance metadata services - and receive the full response. The vulnerability exists because PHP's `filter_var` with `FILTER_FLAG_NO_PRIV_RANGE | FILTER_FLAG_NO_RES_RANGE` does not unwrap NAT64 (`64:ff9b::/96`) or 6to4 (`2002::/16`) IPv6 transition addresses, both of which deterministically embed a private IPv4 that the OS kernel routes internally. This affects all Koel deployments through v9.7.0 on NAT64 or dual-stack networks (the default for IPv6-only AWS and GCP subnets); a detailed proof-of-concept with verbatim server output is published in the advisory. No public exploit code is in KEV at time of analysis, but the PoC substantially lowers the exploitation barrier.

Microsoft SSRF PHP
NVD GitHub
CVE-2026-54491 PHP HIGH POC PATCH GHSA This Week

Server-side request forgery in Koel (self-hosted PHP music-streaming server, all releases up to and including 9.7.0) lets any authenticated low-privilege user coerce the server into requesting arbitrary internal or cloud-metadata endpoints. The flaw is an incomplete fix for CVE-2026-47260: the initial isSafeUrl() check was added to several podcast/radio fetchers, but per-redirect-hop re-validation was wired into only one path (EpisodePlayable), leaving every sibling fetcher bypassable via an attacker-controlled host that returns an HTTP 302 to an internal address, and all paths bypassable via DNS rebinding. A researcher mechanism PoC confirms exploitation; not listed in CISA KEV and no evidence of active exploitation.

Microsoft SSRF PHP
NVD GitHub
CVSS 3.1
7.1
CVE-2026-54493 PHP HIGH POC PATCH GHSA This Week

{id}. Publicly available exploit code exists (a working PoC is published in the GHSA advisory), but it is not in CISA KEV and no active exploitation is identified.

Docker SSRF PHP
NVD GitHub
CVSS 3.1
7.7
CVE-2026-54492 PHP MEDIUM POC PATCH GHSA This Month

Authenticated blind SSRF in Koel v9.6.0 allows any logged-in user to trigger server-side HTTP requests to private, loopback, and RFC1918 destinations by exploiting a missing SafeUrl validation guard on the Subsonic-compatible createPodcastChannel.view route. The main podcast API correctly rejects private URLs with a 422 error, but the Subsonic compatibility layer omits the same SafeUrl rule, and the attacker-supplied URL is fetched synchronously during channel creation via Poddle::fromUrl() - no separate step required. No public exploit identified at time of analysis per KEV status, but a fully documented public PoC with step-by-step curl commands is available in GHSA-w79m-f3jx-779v, validated against the official phanan/koel:9.6.0 Docker image.

Docker SSRF PHP
NVD GitHub
CVSS 3.1
4.3
CVE-2026-45806 HIGH PATCH This Week

Server-side request forgery in Penpot before 2.15.0 lets an authenticated file editor coerce the backend into fetching attacker-chosen URLs via the remote image import feature, reaching internal-only endpoints that are normally unreachable from the outside. The :create-file-media-object-from-url RPC method passes a user-controlled URL to the shared HTTP client with no destination filtering (CVSS 7.7, scope-changed). No public exploit has been identified at time of analysis, but the fix in 2.15.0 is confirmed by the vendor advisory GHSA-35g2-w7f6-8v9h.

SSRF Penpot
NVD GitHub
CVSS 3.1
7.7
CVSS 4.7
LOW POC PATCH Monitor

Server-Side Request Forgery in ToolHive's host-side authentication discovery flow allows a malicious or compromised remote MCP server to force the ToolHive host process to issue arbitrary internal HTTP GET requests with redirect following and no address filtering, bypassing the container isolation that ToolHive is architecturally designed to enforce. Affected versions include all releases through v0.29.3 (commit b672d82f confirmed 2026-06-14); the fix is available in v0.31.0. A publicly reproducible proof-of-concept with recording exists demonstrating retrieval of cloud instance metadata via AWS IMDSv1 redirect; no CISA KEV listing is present, but the exploit is fully operationalized without special infrastructure on any deployment with IMDSv1 enabled.

SSRF
NVD GitHub
MEDIUM PATCH This Month

SSRF protection bypass in the Doyensec safeurl Go library (versions prior to 0.2.4) allows network requests to four newly standardized IPv6 CIDR ranges that were absent from the library's internal blocklist. Applications that explicitly enable IPv6 via EnableIPv6(true) and rely on safeurl to enforce SSRF controls are exposed; attackers who can supply attacker-controlled URLs to such applications may reach internal resources hosted on NAT64 local-use (64:ff9b:1::/48), SRv6 SID (5f00::/16), documentation (3fff::/20), or Dummy IPv6 (100:0:0:1::/64) address space. No public exploit code or CISA KEV listing has been identified at time of analysis.

SSRF
NVD GitHub
LOW POC PATCH Monitor

ToolHive's hand-maintained SSRF guard (`networking.IsPrivateIP`) omits IPv6 NAT64 prefixes `64:ff9b::/96` (RFC 6052) and `64:ff9b:1::/48` (RFC 8215), allowing addresses like `64:ff9b:1::a9fe:a9fe` - the NAT64 encoding of the cloud metadata endpoint `169.254.169.254` - to be misclassified as globally routable and pass unchecked. On ToolHive deployments behind a NAT64/DNS64 gateway (the default in IPv6-only Kubernetes clusters and several IPv6-only cloud environments), an unauthenticated attacker can submit a crafted OAuth `client_id` URL that causes ToolHive's CIMD fetcher to dial internal or link-local addresses the guard is intended to block, achieving a blind internal-reachability oracle. Practical impact is limited to TCP/TLS connection probing rather than credential exfiltration due to HTTPS-only enforcement and TLS verification on the attacker-controlled path; a complete proof-of-concept is publicly available in the vendor advisory, and no public exploit identified at time of analysis as a KEV-listed active campaign.

Kubernetes Microsoft SSRF +1
NVD GitHub
CVSS 6.2
MEDIUM This Month

Server-side request forgery in Wekan's webhook integration feature allows board administrators to register malicious webhook URLs that the Wekan server later fetches without private-network validation, enabling unauthorized access to internal services and cloud metadata endpoints. All Wekan deployments prior to version 9.32 are affected; the root cause is that the existing validateAttachmentUrl() guard present in models/lib/attachmentUrlValidation.js was never wired into the webhook creation and update API paths. No public exploit has been identified and this is not listed in CISA KEV, but cloud-hosted Wekan instances face meaningful credential theft risk via cloud metadata service access.

SSRF Wekan
NVD GitHub
CVSS 6.9
MEDIUM PATCH This Month

Server-side request forgery in the strands-agents-tools elasticsearch_memory tool enables prompt-injection attacks that exfiltrate the operator's Elasticsearch API key to attacker-controlled infrastructure. Applications using strands-agents-tools prior to 0.7.0 that rely on the ELASTICSEARCH_API_KEY environment-variable fallback - rather than explicitly passing api_key - are exposed to credential theft when an attacker can influence LLM input. No public exploit code or CISA KEV listing has been identified at time of analysis, but the prompt-injection-to-SSRF primitive is well understood in the AI agent security community and the credential-theft impact warrants prompt remediation.

Python SSRF Elastic +1
NVD GitHub
MEDIUM POC PATCH This Month

Full-read SSRF in Koel's podcast subscription feature allows any authenticated user to coerce the server into fetching internal HTTP endpoints - including cloud instance metadata services - and receive the full response. The vulnerability exists because PHP's `filter_var` with `FILTER_FLAG_NO_PRIV_RANGE | FILTER_FLAG_NO_RES_RANGE` does not unwrap NAT64 (`64:ff9b::/96`) or 6to4 (`2002::/16`) IPv6 transition addresses, both of which deterministically embed a private IPv4 that the OS kernel routes internally. This affects all Koel deployments through v9.7.0 on NAT64 or dual-stack networks (the default for IPv6-only AWS and GCP subnets); a detailed proof-of-concept with verbatim server output is published in the advisory. No public exploit code is in KEV at time of analysis, but the PoC substantially lowers the exploitation barrier.

Microsoft SSRF PHP
NVD GitHub
CVSS 7.1
HIGH POC PATCH This Week

Server-side request forgery in Koel (self-hosted PHP music-streaming server, all releases up to and including 9.7.0) lets any authenticated low-privilege user coerce the server into requesting arbitrary internal or cloud-metadata endpoints. The flaw is an incomplete fix for CVE-2026-47260: the initial isSafeUrl() check was added to several podcast/radio fetchers, but per-redirect-hop re-validation was wired into only one path (EpisodePlayable), leaving every sibling fetcher bypassable via an attacker-controlled host that returns an HTTP 302 to an internal address, and all paths bypassable via DNS rebinding. A researcher mechanism PoC confirms exploitation; not listed in CISA KEV and no evidence of active exploitation.

Microsoft SSRF PHP
NVD GitHub
CVSS 7.7
HIGH POC PATCH This Week

{id}. Publicly available exploit code exists (a working PoC is published in the GHSA advisory), but it is not in CISA KEV and no active exploitation is identified.

Docker SSRF PHP
NVD GitHub
CVSS 4.3
MEDIUM POC PATCH This Month

Authenticated blind SSRF in Koel v9.6.0 allows any logged-in user to trigger server-side HTTP requests to private, loopback, and RFC1918 destinations by exploiting a missing SafeUrl validation guard on the Subsonic-compatible createPodcastChannel.view route. The main podcast API correctly rejects private URLs with a 422 error, but the Subsonic compatibility layer omits the same SafeUrl rule, and the attacker-supplied URL is fetched synchronously during channel creation via Poddle::fromUrl() - no separate step required. No public exploit identified at time of analysis per KEV status, but a fully documented public PoC with step-by-step curl commands is available in GHSA-w79m-f3jx-779v, validated against the official phanan/koel:9.6.0 Docker image.

Docker SSRF PHP
NVD GitHub
CVSS 7.7
HIGH PATCH This Week

Server-side request forgery in Penpot before 2.15.0 lets an authenticated file editor coerce the backend into fetching attacker-chosen URLs via the remote image import feature, reaching internal-only endpoints that are normally unreachable from the outside. The :create-file-media-object-from-url RPC method passes a user-controlled URL to the shared HTTP client with no destination filtering (CVSS 7.7, scope-changed). No public exploit has been identified at time of analysis, but the fix in 2.15.0 is confirmed by the vendor advisory GHSA-35g2-w7f6-8v9h.

SSRF Penpot
NVD GitHub

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy