Skip to main content

SSRF

2868 CVEs technique

Monthly

CVE-2024-27949 MEDIUM This Month

Server-Side Request Forgery (SSRF) vulnerability in Sirv CDN and Image Hosting Sirv sirv.2.0. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

SSRF
NVD VulDB
CVSS 3.1
5.4
EPSS
0.1%
CVE-2024-0403 MEDIUM POC This Month

Recipes version 1.5.10 allows arbitrary HTTP requests to be made through the server. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

SSRF Recipes
NVD GitHub
CVSS 3.1
6.5
EPSS
0.4%
CVE-2024-1978 MEDIUM PATCH This Month

The Friends plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 2.8.5 via the discover_available_feeds function. Rated medium severity (CVSS 5.5), this vulnerability is remotely exploitable, low attack complexity. This Server-Side Request Forgery (SSRF) vulnerability could allow attackers to make the server perform requests to unintended internal or external resources.

WordPress SSRF Friends
NVD GitHub
CVSS 3.1
5.5
EPSS
0.1%
CVE-2024-26476 LOW POC Monitor

An issue in open-emr before v.7.0.2 allows a remote attacker to escalate privileges via a crafted script to the formid parameter in the ereq_form.php component. Rated low severity (CVSS 3.5), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

SSRF PHP Openemr
NVD GitHub
CVSS 3.1
3.5
EPSS
0.4%
CVE-2024-1965 MEDIUM This Month

Server-Side Request Forgery vulnerability in Haivision's Aviwest Manager and Aviwest Steamhub. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

SSRF Maanager Streamhub
NVD
CVSS 3.1
5.3
EPSS
0.4%
CVE-2024-1568 MEDIUM PATCH This Month

The Seraphinite Accelerator plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 2.20.52 via the OnAdminApi_HtmlCheck function. Rated medium severity (CVSS 6.4), this vulnerability is remotely exploitable, low attack complexity. This Server-Side Request Forgery (SSRF) vulnerability could allow attackers to make the server perform requests to unintended internal or external resources.

WordPress SSRF Seraphinite Accelerator
NVD
CVSS 3.1
6.4
EPSS
0.2%
CVE-2024-0759 HIGH POC PATCH This Week

Should an instance of AnythingLLM be hosted on an internal network and the attacked be explicitly granted a permission level of manager or admin, they could link-scrape internally resolving IPs of. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

SSRF Anythingllm
NVD GitHub
CVSS 3.1
7.5
EPSS
1.0%
CVE-2024-22873 HIGH POC This Week

Tencent Blueking CMDB v3.2.x to v3.9.x was discovered to contain a Server-Side Request Forgery (SSRF) via the event subscription function (/service/subscription.go). Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

SSRF Blueking Configuration Management Database
NVD GitHub VulDB
CVSS 3.1
8.1
EPSS
0.7%
CVE-2024-1758 MEDIUM PATCH This Month

The SuperFaktura WooCommerce plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 1.40.3 via the wc_sf_url_check function. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. This Server-Side Request Forgery (SSRF) vulnerability could allow attackers to make the server perform requests to unintended internal or external resources.

WordPress SSRF Superfaktura Woocommerce
NVD VulDB
CVSS 3.1
5.4
EPSS
0.3%
CVE-2024-0455 HIGH POC PATCH This Week

The inclusion of the web scraper for AnythingLLM means that any user with the proper authorization level (manager, admin, and when in single user) could put in the URL ```. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

SSRF Anythingllm
NVD GitHub
CVSS 3.1
7.5
EPSS
0.8%
CVE-2024-0440 MEDIUM POC PATCH This Month

Attacker, with permission to submit a link or submits a link via POST to be collected that is using the file:// protocol can then introspect host files and other relatively stored files. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available.

SSRF Anythingllm
NVD GitHub
CVSS 3.1
6.5
EPSS
0.6%
CVE-2024-0243 PyPI HIGH POC PATCH This Week

With the following crawler configuration: ```python from bs4 import BeautifulSoup as Soup url = "https://example.com" loader = RecursiveUrlLoader( url=url, max_depth=2, extractor=lambda x: Soup(x,. Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, no authentication required. Public exploit code available.

SSRF Python Langchain
NVD GitHub
CVSS 3.1
8.1
EPSS
0.5%
CVE-2024-25915 MEDIUM This Month

Server-Side Request Forgery (SSRF) vulnerability in Raaj Trambadia Pexels: Free Stock Photos.2.2. Rated medium severity (CVSS 4.9), this vulnerability is remotely exploitable. No vendor patch available.

SSRF Pexels
NVD
CVSS 3.1
4.9
EPSS
0.2%
CVE-2024-22243 Maven HIGH PATCH This Week

Applications that use UriComponentsBuilder to parse an externally provided URL (e.g. Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

SSRF Open Redirect
NVD
CVSS 3.1
8.1
EPSS
4.0%
CVE-2024-23654 HIGH PATCH This Week

discourse-ai is the AI plugin for the open-source discussion platform Discourse. Rated high severity (CVSS 7.2), this vulnerability is remotely exploitable, low attack complexity. This Server-Side Request Forgery (SSRF) vulnerability could allow attackers to make the server perform requests to unintended internal or external resources.

SSRF Ai
NVD GitHub
CVSS 3.1
7.2
EPSS
0.4%
CVE-2024-21498 Go MEDIUM POC This Month

All versions of the package github.com/greenpau/caddy-security are vulnerable to Server-side Request Forgery (SSRF) via X-Forwarded-Host header manipulation. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

SSRF Caddy Security
NVD GitHub
CVSS 3.1
5.3
EPSS
0.6%
CVE-2024-23788 HIGH This Week

Server-side request forgery vulnerability in Energy Management Controller with Cloud Services JH-RVB1 /JH-RV11 Ver.B0.1.9.1 and earlier allows a network-adjacent unauthenticated attacker to send an. Rated high severity (CVSS 8.1), this vulnerability is no authentication required, low attack complexity. No vendor patch available.

SSRF Jh Rvb1 Firmware Jh Rv11 Firmware
NVD
CVSS 3.1
8.1
EPSS
0.8%
CVE-2024-23761 CRITICAL POC Act Now

Server Side Template Injection in Gambio 4.9.2.0 allows attackers to run arbitrary code via crafted smarty email template. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

SSRF RCE Gambio
NVD
CVSS 3.1
9.8
EPSS
0.7%
CVE-2024-24829 MEDIUM This Month

Sentry is an error tracking and performance monitoring platform. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

SSRF Sentry
NVD GitHub
CVSS 3.1
5.3
EPSS
0.5%
CVE-2024-24113 Maven HIGH POC This Week

xxl-job =< 2.4.1 has a Server-Side Request Forgery (SSRF) vulnerability, which causes low-privileged users to control executor to RCE. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

SSRF Xxl Job
NVD GitHub
CVSS 3.1
8.8
EPSS
0.6%
CVE-2024-0628 LOW PATCH Monitor

The WP RSS Aggregator plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 4.23.5 via the RSS feed source in admin settings. Rated low severity (CVSS 3.8), this vulnerability is remotely exploitable, low attack complexity. This Server-Side Request Forgery (SSRF) vulnerability could allow attackers to make the server perform requests to unintended internal or external resources.

SSRF WordPress Wp Rss Aggregator
NVD
CVSS 3.1
3.8
EPSS
0.4%
CVE-2024-23838 NuGet HIGH PATCH This Week

TrueLayer.NET is the .Net client for TrueLayer. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Server-Side Request Forgery (SSRF) vulnerability could allow attackers to make the server perform requests to unintended internal or external resources.

SSRF Information Disclosure Truelayer Net
NVD GitHub
CVSS 3.1
7.5
EPSS
0.5%
CVE-2024-23825 MEDIUM POC PATCH This Month

TablePress is a table plugin for Wordpress. Rated medium severity (CVSS 4.9), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available.

SSRF WordPress Tablepress
NVD GitHub
CVSS 3.1
4.9
EPSS
0.5%
CVE-2024-1063 HIGH This Week

Appwrite <= v1.4.13 is affected by a Server-Side Request Forgery (SSRF) via the '/v1/avatars/favicon' endpoint due to an incomplete fix of CVE-2023-27159. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

SSRF Appwrite
NVD
CVSS 3.1
7.5
EPSS
0.4%
CVE-2024-22648 MEDIUM POC This Month

A Blind SSRF vulnerability exists in the "Crawl Meta Data" functionality of SEO Panel version 4.10.0. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

SSRF Seo Panel
NVD GitHub
CVSS 3.1
5.3
EPSS
0.6%
CVE-2024-1021 CRITICAL POC THREAT Act Now

A vulnerability, which was classified as critical, has been found in Rebuild up to 3.5.5. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

SSRF Rebuild
NVD VulDB
CVSS 3.1
9.8
EPSS
34.7%
CVE-2024-0946 CRITICAL Act Now

A vulnerability classified as critical was found in 60IndexPage up to 1.8.5. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

SSRF PHP 60Indexpage
NVD VulDB
CVSS 3.1
9.8
EPSS
0.6%
CVE-2024-0945 CRITICAL Act Now

A vulnerability classified as critical has been found in 60IndexPage up to 1.8.5. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

SSRF PHP 60Indexpage
NVD VulDB
CVSS 3.1
9.8
EPSS
0.6%
CVE-2024-23644 Cargo HIGH PATCH This Week

Trillium is a composable toolkit for building internet applications with async rust. Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, no authentication required.

SSRF Trillium Trillium Http
NVD GitHub
CVSS 3.1
8.1
EPSS
0.6%
CVE-2024-22134 MEDIUM This Month

Server-Side Request Forgery (SSRF) vulnerability in Renzo Johnson Contact Form 7 Extension For Mailchimp.5.70. Rated medium severity (CVSS 4.9), this vulnerability is remotely exploitable. No vendor patch available.

SSRF Contact Form 7 Extension For Mailchimp
NVD
CVSS 3.1
4.9
EPSS
0.1%
CVE-2024-23633 PyPI MEDIUM PATCH This Month

Label Studio, an open source data labeling tool had a remote import feature allowed users to import data from a remote web source, that was downloaded and could be viewed on the website. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

SSRF XSS Python Label Studio
NVD GitHub
CVSS 3.1
6.1
EPSS
0.6%
CVE-2024-23330 MEDIUM POC This Month

Tuta is an encrypted email service. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

SSRF Tutanota
NVD GitHub
CVSS 3.1
5.3
EPSS
0.5%
CVE-2024-22205 PyPI CRITICAL POC PATCH Act Now

Whoogle Search is a self-hosted metasearch engine. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

SSRF Whoogle Search
NVD GitHub
CVSS 3.1
9.8
EPSS
1.0%
CVE-2024-22203 PyPI CRITICAL POC PATCH Act Now

Whoogle Search is a self-hosted metasearch engine. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

SSRF Whoogle Search
NVD GitHub
CVSS 3.1
9.8
EPSS
1.0%
CVE-2022-40700 HIGH This Week

Server-Side Request Forgery (SSRF) vulnerability in Montonio Montonio for WooCommerce, Wpopal Wpopal Core Features, AMO for WP - Membership Management ArcStone wp-amo, Long Watch Studio. Rated high severity (CVSS 8.2), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

SSRF WordPress Admin Css Mu Amp Toolbox Confirm Data +12
NVD
CVSS 3.1
8.2
EPSS
0.7%
CVE-2024-0649 CRITICAL Act Now

A vulnerability was found in ZhiHuiYun up to 4.4.13 and classified as critical.php of the component Search. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

SSRF PHP Zhihuiyun
NVD VulDB
CVSS 3.1
9.8
EPSS
0.5%
CVE-2024-22408 HIGH This Week

Shopware is an open headless commerce platform. Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

SSRF Shopware
NVD GitHub
CVSS 3.1
8.1
EPSS
0.4%
CVE-2024-0601 MEDIUM POC This Month

A vulnerability was found in ZhongFuCheng3y Austin 1.0. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

SSRF Java Austin
NVD GitHub VulDB
CVSS 3.1
6.5
EPSS
0.5%
CVE-2024-0510 HIGH This Month

A vulnerability, which was classified as critical, has been found in HaoKeKeJi YiQiNiu up to 3.1. Rated high severity (CVSS 7.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

SSRF PHP Yiqiniu
NVD VulDB
CVSS 3.1
7.3
EPSS
0.2%
CVE-2023-51804 HIGH POC This Week

An issue in rymcu forest v.0.02 allows a remote attacker to obtain sensitive information via manipulation of the HTTP body URL in the com.rymcu.forest.web.api.common.UploadController file. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

SSRF Forest
NVD GitHub
CVSS 3.1
7.5
EPSS
0.2%
CVE-2023-49471 HIGH POC THREAT Act Now

Blind Server-Side Request Forgery (SSRF) vulnerability in karlomikus Bar Assistant before version 3.2.0 does not validate a parameter before making a request through Image::make(), which could allow. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and EPSS exploitation probability 13.0%.

SSRF RCE Bar Assistant
NVD GitHub
CVSS 3.1
8.8
EPSS
13.0%
CVE-2024-0308 MEDIUM This Month

A vulnerability was found in Inis up to 2.0.1. Rated medium severity (CVSS 6.3), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

SSRF PHP Inis
NVD VulDB
CVSS 3.1
6.3
EPSS
0.1%
CVE-2024-0304 MEDIUM This Month

A vulnerability has been found in Youke365 up to 1.5.3 and classified as critical. Rated medium severity (CVSS 6.3), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

SSRF PHP Youke 365
NVD VulDB
CVSS 3.1
6.3
EPSS
0.2%
CVE-2024-0303 MEDIUM This Month

A vulnerability, which was classified as critical, was found in Youke365 up to 1.5.3. Rated medium severity (CVSS 6.3), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

SSRF PHP Youke 365
NVD VulDB
CVSS 3.1
6.3
EPSS
0.2%
CVE-2023-51441 Maven HIGH PATCH This Week

** UNSUPPORTED WHEN ASSIGNED ** Improper Input Validation vulnerability in Apache Axis allowed users with access to the admin service to perform possible SSRF3. Rated high severity (CVSS 7.2), this vulnerability is remotely exploitable, low attack complexity. This Server-Side Request Forgery (SSRF) vulnerability could allow attackers to make the server perform requests to unintended internal or external resources.

SSRF Java Apache Axis
NVD GitHub
CVSS 3.1
7.2
EPSS
0.1%
CVE-2024-21642 PyPI HIGH PATCH This Month

D-Tale is a visualizer for Pandas data structures. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Server-Side Request Forgery (SSRF) vulnerability could allow attackers to make the server perform requests to unintended internal or external resources.

SSRF D Tale
NVD GitHub
CVSS 3.1
7.5
EPSS
0.4%
CVE-2023-5877 CRITICAL POC Act Now

The affiliate-toolkit WordPress plugin before 3.4.3 lacks authorization and authentication for requests to it's affiliate-toolkit-starter/tools/atkp_imagereceiver.php endpoint, allowing. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

SSRF Authentication Bypass WordPress PHP Affiliate Toolkit
NVD WPScan
CVSS 3.1
9.8
EPSS
0.4%
CVE-2023-51676 MEDIUM This Month

Server-Side Request Forgery (SSRF) vulnerability in Leevio Happy Addons for Elementor.9.1.1. Rated medium severity (CVSS 4.9), this vulnerability is remotely exploitable. No vendor patch available.

SSRF Happy Addons For Elementor Elementor
NVD
CVSS 3.1
4.9
EPSS
0.4%
CVE-2023-7080 npm HIGH PATCH This Week

The V8 inspector intentionally allows arbitrary code execution within the Workers sandbox for debugging. Rated high severity (CVSS 8.0), this vulnerability is no authentication required, low attack complexity. This Improper Privilege Management vulnerability could allow attackers to escalate privileges to gain unauthorized elevated access.

Privilege Escalation RCE SSRF Wrangler
NVD GitHub
CVSS 3.1
8.0
EPSS
0.6%
CVE-2023-7078 npm HIGH PATCH This Week

Sending specially crafted HTTP requests to Miniflare's server could result in arbitrary HTTP and WebSocket requests being sent from the server. Rated high severity (CVSS 8.1), this vulnerability is no authentication required, low attack complexity. This Server-Side Request Forgery (SSRF) vulnerability could allow attackers to make the server perform requests to unintended internal or external resources.

SSRF Miniflare
NVD GitHub
CVSS 3.1
8.1
EPSS
0.6%
CVE-2023-51697 HIGH PATCH This Week

Audiobookshelf is a self-hosted audiobook and podcast server. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Server-Side Request Forgery (SSRF) vulnerability could allow attackers to make the server perform requests to unintended internal or external resources.

SSRF Audiobookshelf
NVD GitHub
CVSS 3.1
7.5
EPSS
0.3%
CVE-2023-51665 HIGH PATCH This Week

Audiobookshelf is a self-hosted audiobook and podcast server. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Server-Side Request Forgery (SSRF) vulnerability could allow attackers to make the server perform requests to unintended internal or external resources.

SSRF Audiobookshelf
NVD GitHub
CVSS 3.1
7.5
EPSS
0.3%
CVE-2023-51467 CRITICAL POC PATCH THREAT Act Now

The vulnerability permits attackers to circumvent authentication processes, enabling them to remotely execute arbitrary code. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Server-Side Request Forgery (SSRF) vulnerability could allow attackers to make the server perform requests to unintended internal or external resources.

RCE SSRF Ofbiz
NVD
CVSS 3.1
9.8
EPSS
96.0%
CVE-2023-50968 HIGH POC PATCH THREAT This Week

Arbitrary file properties reading vulnerability in Apache Software Foundation Apache OFBiz when user operates an uri call without authorizations. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Exposure of Sensitive Information vulnerability could allow attackers to access sensitive data that should not be disclosed.

Apache Information Disclosure SSRF Ofbiz
NVD
CVSS 3.1
7.5
EPSS
63.4%
CVE-2023-51451 MEDIUM PATCH This Month

Symbolicator is a service used in Sentry. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, low attack complexity. This Server-Side Request Forgery (SSRF) vulnerability could allow attackers to make the server perform requests to unintended internal or external resources.

SSRF Symbolicator
NVD GitHub
CVSS 3.1
4.3
EPSS
0.5%
CVE-2023-50731 PyPI CRITICAL POC PATCH Act Now

MindsDB is a SQL Server for artificial intelligence. Rated critical severity (CVSS 9.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

SSRF Mindsdb
NVD GitHub
CVSS 3.1
9.1
EPSS
1.0%
CVE-2023-50259 MEDIUM POC PATCH This Month

Medusa is an automatic video library manager for TV shows. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

SSRF Medusa
NVD GitHub
CVSS 3.1
5.3
EPSS
0.6%
CVE-2023-50258 MEDIUM POC This Month

Medusa is an automatic video library manager for TV shows. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

SSRF Medusa
NVD GitHub
CVSS 3.1
5.3
EPSS
0.7%
CVE-2023-7037 PHP HIGH POC This Week

A vulnerability was found in automad up to 1.10.9. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

SSRF PHP Automad
NVD GitHub VulDB
CVSS 3.1
8.8
EPSS
0.7%
CVE-2023-6974 PyPI CRITICAL POC PATCH Act Now

A malicious user could use this issue to access internal HTTP(s) servers and in the worst case (ie: aws instance) it could be abuse to get a remote code execution on the victim machine. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

RCE SSRF Mlflow
NVD GitHub
CVSS 3.1
9.8
EPSS
1.5%
CVE-2023-46265 CRITICAL Act Now

An unauthenticated could abuse a XXE vulnerability in the Smart Device Server to leak data or perform a Server-Side Request Forgery (SSRF). Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

SSRF XXE Avalanche
NVD
CVSS 3.1
9.8
EPSS
4.0%
CVE-2023-46262 HIGH This Week

An unauthenticated attacked could send a specifically crafted web request causing a Server-Side Request Forgery (SSRF) in Ivanti Avalanche Remote Control server. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

SSRF Ivanti Avalanche
NVD
CVSS 3.1
7.5
EPSS
82.8%
CVE-2022-40312 MEDIUM This Month

Server-Side Request Forgery (SSRF) vulnerability in GiveWP GiveWP - Donation Plugin and Fundraising Platform.25.1. Rated medium severity (CVSS 5.5), this vulnerability is remotely exploitable. No vendor patch available.

SSRF Givewp
NVD
CVSS 3.1
5.5
EPSS
0.1%
CVE-2023-6853 CRITICAL PATCH Act Now

A vulnerability classified as critical was found in kalcaddle KodExplorer up to 4.51.03. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Server-Side Request Forgery (SSRF) vulnerability could allow attackers to make the server perform requests to unintended internal or external resources.

SSRF PHP Kodexplorer
NVD GitHub VulDB
CVSS 3.1
9.8
EPSS
0.7%
CVE-2023-6852 CRITICAL PATCH Act Now

A vulnerability classified as critical has been found in kalcaddle KodExplorer up to 4.51.03. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Server-Side Request Forgery (SSRF) vulnerability could allow attackers to make the server perform requests to unintended internal or external resources.

SSRF PHP Kodexplorer
NVD GitHub VulDB
CVSS 3.1
9.8
EPSS
0.8%
CVE-2023-6849 CRITICAL PATCH Act Now

A vulnerability was found in kalcaddle kodbox up to 1.48. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Server-Side Request Forgery (SSRF) vulnerability could allow attackers to make the server perform requests to unintended internal or external resources.

SSRF PHP Kodbox
NVD GitHub VulDB
CVSS 3.1
9.8
EPSS
0.9%
CVE-2023-50266 MEDIUM PATCH This Month

Bazarr manages and downloads subtitles. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Server-Side Request Forgery (SSRF) vulnerability could allow attackers to make the server perform requests to unintended internal or external resources.

SSRF Bazarr
NVD GitHub
CVSS 3.1
5.3
EPSS
0.6%
CVE-2023-49159 HIGH This Week

Server-Side Request Forgery (SSRF) vulnerability in Elegant Digital Solutions CommentLuv.0.4. Rated high severity (CVSS 7.2), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

SSRF Commentluv
NVD
CVSS 3.1
7.2
EPSS
0.4%
CVE-2023-48379 MEDIUM This Month

Softnext Mail SQR Expert is an email management platform, it has inadequate filtering for a specific URL parameter within a specific function. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

SSRF Mail Sqr Expert
NVD
CVSS 3.1
5.3
EPSS
0.6%
CVE-2023-6570 MEDIUM POC This Month

Server-Side Request Forgery (SSRF) in kubeflow/kubeflow. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

SSRF Kubeflow
NVD
CVSS 3.1
6.5
EPSS
0.6%
CVE-2023-40630 CRITICAL Act Now

Unauthenticated LFI/SSRF in JCDashboards component for Joomla. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

SSRF Jcdashboard
NVD
CVSS 3.1
9.8
EPSS
0.7%
CVE-2023-49795 PyPI MEDIUM PATCH This Month

MindsDB connects artificial intelligence models to real time data. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Server-Side Request Forgery (SSRF) vulnerability could allow attackers to make the server perform requests to unintended internal or external resources.

SSRF Information Disclosure Mindsdb
NVD GitHub
CVSS 3.1
5.3
EPSS
0.4%
CVE-2023-49799 npm HIGH POC PATCH This Week

`nuxt-api-party` is an open source module to proxy API requests. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

SSRF Nuxt Api Party
NVD GitHub
CVSS 3.1
7.5
EPSS
0.8%
CVE-2023-49746 MEDIUM This Month

Server-Side Request Forgery (SSRF) vulnerability in Softaculous Team SpeedyCache - Cache, Optimization, Performance.1.2. Rated medium severity (CVSS 4.9), this vulnerability is remotely exploitable. No vendor patch available.

SSRF Speedycache
NVD
CVSS 3.1
4.9
EPSS
0.2%
CVE-2023-46641 MEDIUM This Month

Server-Side Request Forgery (SSRF) vulnerability in Code for Recovery 12 Step Meeting List.14.24. Rated medium severity (CVSS 4.9), this vulnerability is remotely exploitable. No vendor patch available.

SSRF 12 Step Meeting List
NVD
CVSS 3.1
4.9
EPSS
0.2%
CVE-2023-41804 HIGH This Week

Server-Side Request Forgery (SSRF) vulnerability in Brainstorm Force Starter Templates - Elementor, WordPress & Beaver Builder Templates.2.4. Rated high severity (CVSS 7.1), this vulnerability is remotely exploitable. No vendor patch available.

SSRF WordPress Starter Templates
NVD
CVSS 3.1
7.1
EPSS
0.4%
CVE-2022-45362 HIGH POC THREAT Act Now

Server-Side Request Forgery (SSRF) vulnerability in Paytm Paytm Payment Gateway.7.0. Rated high severity (CVSS 7.2), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and EPSS exploitation probability 32.9%.

SSRF Payment Gateway
NVD
CVSS 3.1
7.2
EPSS
32.9%
CVE-2023-46736 MEDIUM POC PATCH This Month

EspoCRM is an Open Source CRM (Customer Relationship Management) software. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available.

SSRF Espocrm
NVD GitHub
CVSS 3.1
6.5
EPSS
0.4%
CVE-2023-48910 Maven CRITICAL POC PATCH Act Now

Microcks up to 1.17.1 was discovered to contain a Server-Side Request Forgery (SSRF) via the component /jobs and /artifact/download. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

SSRF Microcks
NVD GitHub
CVSS 3.1
9.8
EPSS
1.0%
CVE-2023-46746 MEDIUM PATCH This Month

PostHog provides open-source product analytics, session recording, feature flagging and A/B testing that you can self-host. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, low attack complexity. This Server-Side Request Forgery (SSRF) vulnerability could allow attackers to make the server perform requests to unintended internal or external resources.

SSRF Posthog
NVD GitHub
CVSS 3.1
4.3
EPSS
0.4%
CVE-2023-49735 Maven HIGH This Week

** UNSUPPORTED WHEN ASSIGNED ** The value set as the DefaultLocaleResolver.LOCALE_KEY attribute on the session was not validated while resolving XML definition files, leading to possible path. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Apache Path Traversal XXE SSRF Tiles
NVD
CVSS 3.1
7.5
EPSS
1.3%
CVE-2023-49094 MEDIUM PATCH This Month

Symbolicator is a symbolication service for native stacktraces and minidumps with symbol server support. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, low attack complexity. This Server-Side Request Forgery (SSRF) vulnerability could allow attackers to make the server perform requests to unintended internal or external resources.

SSRF Symbolicator
NVD GitHub
CVSS 3.1
4.3
EPSS
0.7%
CVE-2023-6070 MEDIUM This Month

A server-side request forgery vulnerability in ESM prior to version 11.6.8 allows a low privileged authenticated user to upload arbitrary content, potentially altering configuration. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

SSRF Enterprise Security Manager
NVD
CVSS 3.1
4.3
EPSS
0.2%
CVE-2023-48023 CRITICAL POC THREAT Act Now

Anyscale Ray 2.6.3 and 2.8.0 allows /log_proxy SSRF. Rated critical severity (CVSS 9.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

SSRF Ray
NVD
CVSS 3.1
9.1
EPSS
35.1%
CVE-2023-46480 Go CRITICAL Act Now

An issue in OwnCast v.0.1.1 allows a remote attacker to execute arbitrary code and obtain sensitive information via the authHost parameter of the indieauth function. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

RCE SSRF Owncast
NVD GitHub
CVSS 3.1
9.8
EPSS
1.6%
CVE-2023-5974 CRITICAL POC Act Now

The WPB Show Core WordPress plugin through 2.2 is vulnerable to server-side request forgery (SSRF) via the `path` parameter. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

SSRF WordPress Wpb Show Core
NVD WPScan
CVSS 3.1
9.8
EPSS
3.1%
CVE-2023-48711 npm LOW POC PATCH Monitor

google-translate-api-browser is an npm package which interfaces with the google translate web api. Rated low severity (CVSS 3.7), this vulnerability is remotely exploitable, no authentication required. Public exploit code available.

Node.js SSRF Google Google Translate Api Browser
NVD GitHub
CVSS 3.1
3.7
EPSS
0.5%
CVE-2023-27451 HIGH This Week

Server-Side Request Forgery (SSRF) vulnerability in Darren Cooney Instant Images plugin <= 5.1.0.2 versions. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

SSRF Instant Images
NVD
CVSS 3.1
8.8
EPSS
0.8%
CVE-2023-48307 CRITICAL PATCH Act Now

Nextcloud Mail is the mail app for Nextcloud, a self-hosted productivity platform. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Server-Side Request Forgery (SSRF) vulnerability could allow attackers to make the server perform requests to unintended internal or external resources.

SSRF Nextcloud Mail
NVD GitHub
CVSS 3.1
9.8
EPSS
0.9%
CVE-2023-48306 CRITICAL POC Act Now

Nextcloud Server provides data storage for Nextcloud, an open source cloud platform. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

SSRF Nextcloud Nextcloud Server
NVD GitHub
CVSS 3.1
9.8
EPSS
0.8%
EPSS 0% CVSS 5.4
MEDIUM This Month

Server-Side Request Forgery (SSRF) vulnerability in Sirv CDN and Image Hosting Sirv sirv.2.0. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

SSRF
NVD VulDB
EPSS 0% CVSS 6.5
MEDIUM POC This Month

Recipes version 1.5.10 allows arbitrary HTTP requests to be made through the server. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

SSRF Recipes
NVD GitHub
EPSS 0% CVSS 5.5
MEDIUM PATCH This Month

The Friends plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 2.8.5 via the discover_available_feeds function. Rated medium severity (CVSS 5.5), this vulnerability is remotely exploitable, low attack complexity. This Server-Side Request Forgery (SSRF) vulnerability could allow attackers to make the server perform requests to unintended internal or external resources.

WordPress SSRF Friends
NVD GitHub
EPSS 0% CVSS 3.5
LOW POC Monitor

An issue in open-emr before v.7.0.2 allows a remote attacker to escalate privileges via a crafted script to the formid parameter in the ereq_form.php component. Rated low severity (CVSS 3.5), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

SSRF PHP Openemr
NVD GitHub
EPSS 0% CVSS 5.3
MEDIUM This Month

Server-Side Request Forgery vulnerability in Haivision's Aviwest Manager and Aviwest Steamhub. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

SSRF Maanager Streamhub
NVD
EPSS 0% CVSS 6.4
MEDIUM PATCH This Month

The Seraphinite Accelerator plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 2.20.52 via the OnAdminApi_HtmlCheck function. Rated medium severity (CVSS 6.4), this vulnerability is remotely exploitable, low attack complexity. This Server-Side Request Forgery (SSRF) vulnerability could allow attackers to make the server perform requests to unintended internal or external resources.

WordPress SSRF Seraphinite Accelerator
NVD
EPSS 1% CVSS 7.5
HIGH POC PATCH This Week

Should an instance of AnythingLLM be hosted on an internal network and the attacked be explicitly granted a permission level of manager or admin, they could link-scrape internally resolving IPs of. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

SSRF Anythingllm
NVD GitHub
EPSS 1% CVSS 8.1
HIGH POC This Week

Tencent Blueking CMDB v3.2.x to v3.9.x was discovered to contain a Server-Side Request Forgery (SSRF) via the event subscription function (/service/subscription.go). Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

SSRF Blueking Configuration Management Database
NVD GitHub VulDB
EPSS 0% CVSS 5.4
MEDIUM PATCH This Month

The SuperFaktura WooCommerce plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 1.40.3 via the wc_sf_url_check function. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. This Server-Side Request Forgery (SSRF) vulnerability could allow attackers to make the server perform requests to unintended internal or external resources.

WordPress SSRF Superfaktura Woocommerce
NVD VulDB
EPSS 1% CVSS 7.5
HIGH POC PATCH This Week

The inclusion of the web scraper for AnythingLLM means that any user with the proper authorization level (manager, admin, and when in single user) could put in the URL ```. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

SSRF Anythingllm
NVD GitHub
EPSS 1% CVSS 6.5
MEDIUM POC PATCH This Month

Attacker, with permission to submit a link or submits a link via POST to be collected that is using the file:// protocol can then introspect host files and other relatively stored files. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available.

SSRF Anythingllm
NVD GitHub
EPSS 1% CVSS 8.1
HIGH POC PATCH This Week

With the following crawler configuration: ```python from bs4 import BeautifulSoup as Soup url = "https://example.com" loader = RecursiveUrlLoader( url=url, max_depth=2, extractor=lambda x: Soup(x,. Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, no authentication required. Public exploit code available.

SSRF Python Langchain
NVD GitHub
EPSS 0% CVSS 4.9
MEDIUM This Month

Server-Side Request Forgery (SSRF) vulnerability in Raaj Trambadia Pexels: Free Stock Photos.2.2. Rated medium severity (CVSS 4.9), this vulnerability is remotely exploitable. No vendor patch available.

SSRF Pexels
NVD
EPSS 4% CVSS 8.1
HIGH PATCH This Week

Applications that use UriComponentsBuilder to parse an externally provided URL (e.g. Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

SSRF Open Redirect
NVD
EPSS 0% CVSS 7.2
HIGH PATCH This Week

discourse-ai is the AI plugin for the open-source discussion platform Discourse. Rated high severity (CVSS 7.2), this vulnerability is remotely exploitable, low attack complexity. This Server-Side Request Forgery (SSRF) vulnerability could allow attackers to make the server perform requests to unintended internal or external resources.

SSRF Ai
NVD GitHub
EPSS 1% CVSS 5.3
MEDIUM POC This Month

All versions of the package github.com/greenpau/caddy-security are vulnerable to Server-side Request Forgery (SSRF) via X-Forwarded-Host header manipulation. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

SSRF Caddy Security
NVD GitHub
EPSS 1% CVSS 8.1
HIGH This Week

Server-side request forgery vulnerability in Energy Management Controller with Cloud Services JH-RVB1 /JH-RV11 Ver.B0.1.9.1 and earlier allows a network-adjacent unauthenticated attacker to send an. Rated high severity (CVSS 8.1), this vulnerability is no authentication required, low attack complexity. No vendor patch available.

SSRF Jh Rvb1 Firmware Jh Rv11 Firmware
NVD
EPSS 1% CVSS 9.8
CRITICAL POC Act Now

Server Side Template Injection in Gambio 4.9.2.0 allows attackers to run arbitrary code via crafted smarty email template. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

SSRF RCE Gambio
NVD
EPSS 0% CVSS 5.3
MEDIUM This Month

Sentry is an error tracking and performance monitoring platform. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

SSRF Sentry
NVD GitHub
EPSS 1% CVSS 8.8
HIGH POC This Week

xxl-job =< 2.4.1 has a Server-Side Request Forgery (SSRF) vulnerability, which causes low-privileged users to control executor to RCE. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

SSRF Xxl Job
NVD GitHub
EPSS 0% CVSS 3.8
LOW PATCH Monitor

The WP RSS Aggregator plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 4.23.5 via the RSS feed source in admin settings. Rated low severity (CVSS 3.8), this vulnerability is remotely exploitable, low attack complexity. This Server-Side Request Forgery (SSRF) vulnerability could allow attackers to make the server perform requests to unintended internal or external resources.

SSRF WordPress Wp Rss Aggregator
NVD
EPSS 1% CVSS 7.5
HIGH PATCH This Week

TrueLayer.NET is the .Net client for TrueLayer. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Server-Side Request Forgery (SSRF) vulnerability could allow attackers to make the server perform requests to unintended internal or external resources.

SSRF Information Disclosure Truelayer Net
NVD GitHub
EPSS 1% CVSS 4.9
MEDIUM POC PATCH This Month

TablePress is a table plugin for Wordpress. Rated medium severity (CVSS 4.9), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available.

SSRF WordPress Tablepress
NVD GitHub
EPSS 0% CVSS 7.5
HIGH This Week

Appwrite <= v1.4.13 is affected by a Server-Side Request Forgery (SSRF) via the '/v1/avatars/favicon' endpoint due to an incomplete fix of CVE-2023-27159. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

SSRF Appwrite
NVD
EPSS 1% CVSS 5.3
MEDIUM POC This Month

A Blind SSRF vulnerability exists in the "Crawl Meta Data" functionality of SEO Panel version 4.10.0. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

SSRF Seo Panel
NVD GitHub
EPSS 35% CVSS 9.8
CRITICAL POC THREAT Act Now

A vulnerability, which was classified as critical, has been found in Rebuild up to 3.5.5. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

SSRF Rebuild
NVD VulDB
EPSS 1% CVSS 9.8
CRITICAL Act Now

A vulnerability classified as critical was found in 60IndexPage up to 1.8.5. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

SSRF PHP 60Indexpage
NVD VulDB
EPSS 1% CVSS 9.8
CRITICAL Act Now

A vulnerability classified as critical has been found in 60IndexPage up to 1.8.5. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

SSRF PHP 60Indexpage
NVD VulDB
EPSS 1% CVSS 8.1
HIGH PATCH This Week

Trillium is a composable toolkit for building internet applications with async rust. Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, no authentication required.

SSRF Trillium Trillium Http
NVD GitHub
EPSS 0% CVSS 4.9
MEDIUM This Month

Server-Side Request Forgery (SSRF) vulnerability in Renzo Johnson Contact Form 7 Extension For Mailchimp.5.70. Rated medium severity (CVSS 4.9), this vulnerability is remotely exploitable. No vendor patch available.

SSRF Contact Form 7 Extension For Mailchimp
NVD
EPSS 1% CVSS 6.1
MEDIUM PATCH This Month

Label Studio, an open source data labeling tool had a remote import feature allowed users to import data from a remote web source, that was downloaded and could be viewed on the website. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

SSRF XSS Python +1
NVD GitHub
EPSS 0% CVSS 5.3
MEDIUM POC This Month

Tuta is an encrypted email service. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

SSRF Tutanota
NVD GitHub
EPSS 1% CVSS 9.8
CRITICAL POC PATCH Act Now

Whoogle Search is a self-hosted metasearch engine. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

SSRF Whoogle Search
NVD GitHub
EPSS 1% CVSS 9.8
CRITICAL POC PATCH Act Now

Whoogle Search is a self-hosted metasearch engine. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

SSRF Whoogle Search
NVD GitHub
EPSS 1% CVSS 8.2
HIGH This Week

Server-Side Request Forgery (SSRF) vulnerability in Montonio Montonio for WooCommerce, Wpopal Wpopal Core Features, AMO for WP - Membership Management ArcStone wp-amo, Long Watch Studio. Rated high severity (CVSS 8.2), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

SSRF WordPress Admin Css Mu +14
NVD
EPSS 0% CVSS 9.8
CRITICAL Act Now

A vulnerability was found in ZhiHuiYun up to 4.4.13 and classified as critical.php of the component Search. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

SSRF PHP Zhihuiyun
NVD VulDB
EPSS 0% CVSS 8.1
HIGH This Week

Shopware is an open headless commerce platform. Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

SSRF Shopware
NVD GitHub
EPSS 0% CVSS 6.5
MEDIUM POC This Month

A vulnerability was found in ZhongFuCheng3y Austin 1.0. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

SSRF Java Austin
NVD GitHub VulDB
EPSS 0% CVSS 7.3
HIGH This Month

A vulnerability, which was classified as critical, has been found in HaoKeKeJi YiQiNiu up to 3.1. Rated high severity (CVSS 7.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

SSRF PHP Yiqiniu
NVD VulDB
EPSS 0% CVSS 7.5
HIGH POC This Week

An issue in rymcu forest v.0.02 allows a remote attacker to obtain sensitive information via manipulation of the HTTP body URL in the com.rymcu.forest.web.api.common.UploadController file. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

SSRF Forest
NVD GitHub
EPSS 13% CVSS 8.8
HIGH POC THREAT Act Now

Blind Server-Side Request Forgery (SSRF) vulnerability in karlomikus Bar Assistant before version 3.2.0 does not validate a parameter before making a request through Image::make(), which could allow. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and EPSS exploitation probability 13.0%.

SSRF RCE Bar Assistant
NVD GitHub
EPSS 0% CVSS 6.3
MEDIUM This Month

A vulnerability was found in Inis up to 2.0.1. Rated medium severity (CVSS 6.3), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

SSRF PHP Inis
NVD VulDB
EPSS 0% CVSS 6.3
MEDIUM This Month

A vulnerability has been found in Youke365 up to 1.5.3 and classified as critical. Rated medium severity (CVSS 6.3), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

SSRF PHP Youke 365
NVD VulDB
EPSS 0% CVSS 6.3
MEDIUM This Month

A vulnerability, which was classified as critical, was found in Youke365 up to 1.5.3. Rated medium severity (CVSS 6.3), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

SSRF PHP Youke 365
NVD VulDB
EPSS 0% CVSS 7.2
HIGH PATCH This Week

** UNSUPPORTED WHEN ASSIGNED ** Improper Input Validation vulnerability in Apache Axis allowed users with access to the admin service to perform possible SSRF3. Rated high severity (CVSS 7.2), this vulnerability is remotely exploitable, low attack complexity. This Server-Side Request Forgery (SSRF) vulnerability could allow attackers to make the server perform requests to unintended internal or external resources.

SSRF Java Apache +1
NVD GitHub
EPSS 0% CVSS 7.5
HIGH PATCH This Month

D-Tale is a visualizer for Pandas data structures. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Server-Side Request Forgery (SSRF) vulnerability could allow attackers to make the server perform requests to unintended internal or external resources.

SSRF D Tale
NVD GitHub
EPSS 0% CVSS 9.8
CRITICAL POC Act Now

The affiliate-toolkit WordPress plugin before 3.4.3 lacks authorization and authentication for requests to it's affiliate-toolkit-starter/tools/atkp_imagereceiver.php endpoint, allowing. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

SSRF Authentication Bypass WordPress +2
NVD WPScan
EPSS 0% CVSS 4.9
MEDIUM This Month

Server-Side Request Forgery (SSRF) vulnerability in Leevio Happy Addons for Elementor.9.1.1. Rated medium severity (CVSS 4.9), this vulnerability is remotely exploitable. No vendor patch available.

SSRF Happy Addons For Elementor Elementor
NVD
EPSS 1% CVSS 8.0
HIGH PATCH This Week

The V8 inspector intentionally allows arbitrary code execution within the Workers sandbox for debugging. Rated high severity (CVSS 8.0), this vulnerability is no authentication required, low attack complexity. This Improper Privilege Management vulnerability could allow attackers to escalate privileges to gain unauthorized elevated access.

Privilege Escalation RCE SSRF +1
NVD GitHub
EPSS 1% CVSS 8.1
HIGH PATCH This Week

Sending specially crafted HTTP requests to Miniflare's server could result in arbitrary HTTP and WebSocket requests being sent from the server. Rated high severity (CVSS 8.1), this vulnerability is no authentication required, low attack complexity. This Server-Side Request Forgery (SSRF) vulnerability could allow attackers to make the server perform requests to unintended internal or external resources.

SSRF Miniflare
NVD GitHub
EPSS 0% CVSS 7.5
HIGH PATCH This Week

Audiobookshelf is a self-hosted audiobook and podcast server. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Server-Side Request Forgery (SSRF) vulnerability could allow attackers to make the server perform requests to unintended internal or external resources.

SSRF Audiobookshelf
NVD GitHub
EPSS 0% CVSS 7.5
HIGH PATCH This Week

Audiobookshelf is a self-hosted audiobook and podcast server. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Server-Side Request Forgery (SSRF) vulnerability could allow attackers to make the server perform requests to unintended internal or external resources.

SSRF Audiobookshelf
NVD GitHub
EPSS 96% CVSS 9.8
CRITICAL POC PATCH THREAT Act Now

The vulnerability permits attackers to circumvent authentication processes, enabling them to remotely execute arbitrary code. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Server-Side Request Forgery (SSRF) vulnerability could allow attackers to make the server perform requests to unintended internal or external resources.

RCE SSRF Ofbiz
NVD
EPSS 63% CVSS 7.5
HIGH POC PATCH THREAT This Week

Arbitrary file properties reading vulnerability in Apache Software Foundation Apache OFBiz when user operates an uri call without authorizations. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Exposure of Sensitive Information vulnerability could allow attackers to access sensitive data that should not be disclosed.

Apache Information Disclosure SSRF +1
NVD
EPSS 0% CVSS 4.3
MEDIUM PATCH This Month

Symbolicator is a service used in Sentry. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, low attack complexity. This Server-Side Request Forgery (SSRF) vulnerability could allow attackers to make the server perform requests to unintended internal or external resources.

SSRF Symbolicator
NVD GitHub
EPSS 1% CVSS 9.1
CRITICAL POC PATCH Act Now

MindsDB is a SQL Server for artificial intelligence. Rated critical severity (CVSS 9.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

SSRF Mindsdb
NVD GitHub
EPSS 1% CVSS 5.3
MEDIUM POC PATCH This Month

Medusa is an automatic video library manager for TV shows. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

SSRF Medusa
NVD GitHub
EPSS 1% CVSS 5.3
MEDIUM POC This Month

Medusa is an automatic video library manager for TV shows. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

SSRF Medusa
NVD GitHub
EPSS 1% CVSS 8.8
HIGH POC This Week

A vulnerability was found in automad up to 1.10.9. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

SSRF PHP Automad
NVD GitHub VulDB
EPSS 2% CVSS 9.8
CRITICAL POC PATCH Act Now

A malicious user could use this issue to access internal HTTP(s) servers and in the worst case (ie: aws instance) it could be abuse to get a remote code execution on the victim machine. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

RCE SSRF Mlflow
NVD GitHub
EPSS 4% CVSS 9.8
CRITICAL Act Now

An unauthenticated could abuse a XXE vulnerability in the Smart Device Server to leak data or perform a Server-Side Request Forgery (SSRF). Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

SSRF XXE Avalanche
NVD
EPSS 83% CVSS 7.5
HIGH This Week

An unauthenticated attacked could send a specifically crafted web request causing a Server-Side Request Forgery (SSRF) in Ivanti Avalanche Remote Control server. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

SSRF Ivanti Avalanche
NVD
EPSS 0% CVSS 5.5
MEDIUM This Month

Server-Side Request Forgery (SSRF) vulnerability in GiveWP GiveWP - Donation Plugin and Fundraising Platform.25.1. Rated medium severity (CVSS 5.5), this vulnerability is remotely exploitable. No vendor patch available.

SSRF Givewp
NVD
EPSS 1% CVSS 9.8
CRITICAL PATCH Act Now

A vulnerability classified as critical was found in kalcaddle KodExplorer up to 4.51.03. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Server-Side Request Forgery (SSRF) vulnerability could allow attackers to make the server perform requests to unintended internal or external resources.

SSRF PHP Kodexplorer
NVD GitHub VulDB
EPSS 1% CVSS 9.8
CRITICAL PATCH Act Now

A vulnerability classified as critical has been found in kalcaddle KodExplorer up to 4.51.03. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Server-Side Request Forgery (SSRF) vulnerability could allow attackers to make the server perform requests to unintended internal or external resources.

SSRF PHP Kodexplorer
NVD GitHub VulDB
EPSS 1% CVSS 9.8
CRITICAL PATCH Act Now

A vulnerability was found in kalcaddle kodbox up to 1.48. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Server-Side Request Forgery (SSRF) vulnerability could allow attackers to make the server perform requests to unintended internal or external resources.

SSRF PHP Kodbox
NVD GitHub VulDB
EPSS 1% CVSS 5.3
MEDIUM PATCH This Month

Bazarr manages and downloads subtitles. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Server-Side Request Forgery (SSRF) vulnerability could allow attackers to make the server perform requests to unintended internal or external resources.

SSRF Bazarr
NVD GitHub
EPSS 0% CVSS 7.2
HIGH This Week

Server-Side Request Forgery (SSRF) vulnerability in Elegant Digital Solutions CommentLuv.0.4. Rated high severity (CVSS 7.2), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

SSRF Commentluv
NVD
EPSS 1% CVSS 5.3
MEDIUM This Month

Softnext Mail SQR Expert is an email management platform, it has inadequate filtering for a specific URL parameter within a specific function. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

SSRF Mail Sqr Expert
NVD
EPSS 1% CVSS 6.5
MEDIUM POC This Month

Server-Side Request Forgery (SSRF) in kubeflow/kubeflow. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

SSRF Kubeflow
NVD
EPSS 1% CVSS 9.8
CRITICAL Act Now

Unauthenticated LFI/SSRF in JCDashboards component for Joomla. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

SSRF Jcdashboard
NVD
EPSS 0% CVSS 5.3
MEDIUM PATCH This Month

MindsDB connects artificial intelligence models to real time data. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Server-Side Request Forgery (SSRF) vulnerability could allow attackers to make the server perform requests to unintended internal or external resources.

SSRF Information Disclosure Mindsdb
NVD GitHub
EPSS 1% CVSS 7.5
HIGH POC PATCH This Week

`nuxt-api-party` is an open source module to proxy API requests. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

SSRF Nuxt Api Party
NVD GitHub
EPSS 0% CVSS 4.9
MEDIUM This Month

Server-Side Request Forgery (SSRF) vulnerability in Softaculous Team SpeedyCache - Cache, Optimization, Performance.1.2. Rated medium severity (CVSS 4.9), this vulnerability is remotely exploitable. No vendor patch available.

SSRF Speedycache
NVD
EPSS 0% CVSS 4.9
MEDIUM This Month

Server-Side Request Forgery (SSRF) vulnerability in Code for Recovery 12 Step Meeting List.14.24. Rated medium severity (CVSS 4.9), this vulnerability is remotely exploitable. No vendor patch available.

SSRF 12 Step Meeting List
NVD
EPSS 0% CVSS 7.1
HIGH This Week

Server-Side Request Forgery (SSRF) vulnerability in Brainstorm Force Starter Templates - Elementor, WordPress & Beaver Builder Templates.2.4. Rated high severity (CVSS 7.1), this vulnerability is remotely exploitable. No vendor patch available.

SSRF WordPress Starter Templates
NVD
EPSS 33% CVSS 7.2
HIGH POC THREAT Act Now

Server-Side Request Forgery (SSRF) vulnerability in Paytm Paytm Payment Gateway.7.0. Rated high severity (CVSS 7.2), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and EPSS exploitation probability 32.9%.

SSRF Payment Gateway
NVD
EPSS 0% CVSS 6.5
MEDIUM POC PATCH This Month

EspoCRM is an Open Source CRM (Customer Relationship Management) software. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available.

SSRF Espocrm
NVD GitHub
EPSS 1% CVSS 9.8
CRITICAL POC PATCH Act Now

Microcks up to 1.17.1 was discovered to contain a Server-Side Request Forgery (SSRF) via the component /jobs and /artifact/download. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

SSRF Microcks
NVD GitHub
EPSS 0% CVSS 4.3
MEDIUM PATCH This Month

PostHog provides open-source product analytics, session recording, feature flagging and A/B testing that you can self-host. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, low attack complexity. This Server-Side Request Forgery (SSRF) vulnerability could allow attackers to make the server perform requests to unintended internal or external resources.

SSRF Posthog
NVD GitHub
EPSS 1% CVSS 7.5
HIGH This Week

** UNSUPPORTED WHEN ASSIGNED ** The value set as the DefaultLocaleResolver.LOCALE_KEY attribute on the session was not validated while resolving XML definition files, leading to possible path. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Apache Path Traversal XXE +2
NVD
EPSS 1% CVSS 4.3
MEDIUM PATCH This Month

Symbolicator is a symbolication service for native stacktraces and minidumps with symbol server support. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, low attack complexity. This Server-Side Request Forgery (SSRF) vulnerability could allow attackers to make the server perform requests to unintended internal or external resources.

SSRF Symbolicator
NVD GitHub
EPSS 0% CVSS 4.3
MEDIUM This Month

A server-side request forgery vulnerability in ESM prior to version 11.6.8 allows a low privileged authenticated user to upload arbitrary content, potentially altering configuration. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

SSRF Enterprise Security Manager
NVD
EPSS 35% CVSS 9.1
CRITICAL POC THREAT Act Now

Anyscale Ray 2.6.3 and 2.8.0 allows /log_proxy SSRF. Rated critical severity (CVSS 9.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

SSRF Ray
NVD
EPSS 2% CVSS 9.8
CRITICAL Act Now

An issue in OwnCast v.0.1.1 allows a remote attacker to execute arbitrary code and obtain sensitive information via the authHost parameter of the indieauth function. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

RCE SSRF Owncast
NVD GitHub
EPSS 3% CVSS 9.8
CRITICAL POC Act Now

The WPB Show Core WordPress plugin through 2.2 is vulnerable to server-side request forgery (SSRF) via the `path` parameter. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

SSRF WordPress Wpb Show Core
NVD WPScan
EPSS 0% CVSS 3.7
LOW POC PATCH Monitor

google-translate-api-browser is an npm package which interfaces with the google translate web api. Rated low severity (CVSS 3.7), this vulnerability is remotely exploitable, no authentication required. Public exploit code available.

Node.js SSRF Google +1
NVD GitHub
EPSS 1% CVSS 8.8
HIGH This Week

Server-Side Request Forgery (SSRF) vulnerability in Darren Cooney Instant Images plugin <= 5.1.0.2 versions. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

SSRF Instant Images
NVD
EPSS 1% CVSS 9.8
CRITICAL PATCH Act Now

Nextcloud Mail is the mail app for Nextcloud, a self-hosted productivity platform. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Server-Side Request Forgery (SSRF) vulnerability could allow attackers to make the server perform requests to unintended internal or external resources.

SSRF Nextcloud Mail
NVD GitHub
EPSS 1% CVSS 9.8
CRITICAL POC Act Now

Nextcloud Server provides data storage for Nextcloud, an open source cloud platform. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

SSRF Nextcloud Nextcloud Server
NVD GitHub
Prev Page 22 of 32 Next

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy