Skip to main content

SSRF

2868 CVEs technique

Monthly

CVE-2023-6199 MEDIUM POC This Month

Book Stack version 23.10.2 allows filtering local files on the server. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

SSRF Bookstack
NVD
CVSS 3.1
6.5
EPSS
1.4%
CVE-2023-48240 Maven HIGH PATCH This Week

XWiki Platform is a generic wiki platform. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

SSRF Xwiki
NVD GitHub
CVSS 3.1
8.8
EPSS
0.7%
CVE-2023-48204 MEDIUM POC This Month

An issue in PublicCMS v.4.0.202302.e allows a remote attacker to obtain sensitive information via the appToken and Parameters parameter of the api/method/getHtml component. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

SSRF Publiccms
NVD GitHub
CVSS 3.1
6.5
EPSS
0.7%
CVE-2023-6124 MEDIUM POC PATCH This Month

Server-Side Request Forgery (SSRF) in GitHub repository salesagility/suitecrm prior to 7.14.2, 8.4.2, 7.12.14. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available.

SSRF Suitecrm
NVD GitHub
CVSS 3.1
4.3
EPSS
0.5%
CVE-2023-46207 MEDIUM This Month

Server-Side Request Forgery (SSRF) vulnerability in StylemixThemes Motors - Car Dealer, Classifieds & Listing.4.6. Rated medium severity (CVSS 4.1), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

SSRF Motors Car Dealer Classifieds Listing
NVD
CVSS 3.1
4.1
EPSS
0.2%
CVE-2023-41239 MEDIUM This Month

Server-Side Request Forgery (SSRF) vulnerability in Blubrry PowerPress Podcasting plugin by Blubrry.0.6. Rated medium severity (CVSS 6.4), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

SSRF Powerpress
NVD
CVSS 3.1
6.4
EPSS
0.2%
CVE-2023-38515 MEDIUM This Month

Server-Side Request Forgery (SSRF) vulnerability in Andy Moyle Church Admin.7.56. Rated medium severity (CVSS 5.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

SSRF Church Admin
NVD
CVSS 3.1
5.5
EPSS
0.1%
CVE-2023-37978 MEDIUM This Month

Server-Side Request Forgery (SSRF) vulnerability in Dimitar Ivanov HTTP Headers.18.11. Rated medium severity (CVSS 4.4), this vulnerability is remotely exploitable. No vendor patch available.

SSRF Http Headers
NVD
CVSS 3.1
4.4
EPSS
0.1%
CVE-2023-34013 MEDIUM This Month

Server-Side Request Forgery (SSRF) vulnerability in Poll Maker Team Poll Maker - Best WordPress Poll Plugin.6.2. Rated medium severity (CVSS 4.4), this vulnerability is remotely exploitable. No vendor patch available.

SSRF WordPress Poll Maker
NVD
CVSS 3.1
4.4
EPSS
0.1%
CVE-2023-31219 MEDIUM This Month

Server-Side Request Forgery (SSRF) vulnerability in WPChill Download Monitor.8.1. Rated medium severity (CVSS 4.1), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

SSRF Download Monitor
NVD
CVSS 3.1
4.1
EPSS
0.2%
CVE-2023-23800 HIGH This Week

Server-Side Request Forgery (SSRF) vulnerability in Vova Anokhin WP Shortcodes Plugin - Shortcodes Ultimate.12.6. Rated high severity (CVSS 7.1), this vulnerability is remotely exploitable. No vendor patch available.

SSRF Shortcodes Ultimate
NVD
CVSS 3.1
7.1
EPSS
0.2%
CVE-2023-23684 PHP MEDIUM PATCH This Month

Server-Side Request Forgery (SSRF) vulnerability in WPGraphQL.14.5. Rated medium severity (CVSS 4.4), this vulnerability is remotely exploitable.

SSRF Wpgraphql
NVD
CVSS 3.1
4.4
EPSS
0.2%
CVE-2022-45835 MEDIUM POC THREAT This Month

Server-Side Request Forgery (SSRF) vulnerability in PhonePe PhonePe Payment Solutions.0.15. Rated medium severity (CVSS 5.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and EPSS exploitation probability 71.1%.

SSRF Phonepe
NVD
CVSS 3.1
5.8
EPSS
71.1%
Threat
4.8
CVE-2023-47121 CRITICAL PATCH Act Now

Discourse is an open source platform for community discussion. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Server-Side Request Forgery (SSRF) vulnerability could allow attackers to make the server perform requests to unintended internal or external resources.

SSRF Discourse
NVD GitHub
CVSS 3.1
9.8
EPSS
0.7%
CVE-2023-46729 npm MEDIUM PATCH This Month

sentry-javascript provides Sentry SDKs for JavaScript. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Server-Side Request Forgery (SSRF) vulnerability could allow attackers to make the server perform requests to unintended internal or external resources.

SSRF Sentry Software Development Kit
NVD GitHub
CVSS 3.1
6.1
EPSS
0.6%
CVE-2023-42361 HIGH This Week

Local File Inclusion vulnerability in Midori-global Better PDF Exporter for Jira Server and Jira Data Center v.10.3.0 and before allows an attacker to view arbitrary files and cause other impacts via. Rated high severity (CVSS 7.8), this vulnerability is no authentication required, low attack complexity. No vendor patch available.

SSRF Atlassian Better Pdf Exporter
NVD
CVSS 3.1
7.8
EPSS
0.9%
CVE-2023-46730 HIGH POC PATCH This Week

Group-Office is an enterprise CRM and groupware tool. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available.

SSRF PHP Microsoft Group Office
NVD GitHub
CVSS 3.1
8.8
EPSS
0.6%
CVE-2023-39301 MEDIUM This Month

A server-side request forgery (SSRF) vulnerability has been reported to affect several QNAP operating system versions. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Qnap SSRF Qts Quts Hero Qutscloud
NVD
CVSS 3.1
4.3
EPSS
0.3%
CVE-2023-4769 HIGH This Week

A SSRF vulnerability has been found in ManageEngine Desktop Central affecting version 9.1.0, specifically the /smtpConfig.do component. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

SSRF Zoho Manageengine Desktop Central
NVD
CVSS 3.1
8.8
EPSS
3.3%
CVE-2023-43982 CRITICAL Act Now

Bon Presta boninstagramcarousel between v5.2.1 to v7.0.0 was discovered to contain a Server-Side Request Forgery (SSRF) via the url parameter at insta_parser.php. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

SSRF PHP Socialfeed Photos Video Using Instagram Api
NVD
CVSS 3.1
9.8
EPSS
0.6%
CVE-2023-35896 MEDIUM PATCH This Month

IBM Content Navigator 3.0.13 is vulnerable to server-side request forgery (SSRF). Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity.

SSRF IBM Content Navigator
NVD
CVSS 3.1
5.4
EPSS
0.3%
CVE-2023-46725 PHP HIGH PATCH This Week

FoodCoopShop is open source software for food coops and local shops. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable. This Server-Side Request Forgery (SSRF) vulnerability could allow attackers to make the server perform requests to unintended internal or external resources.

SSRF Foodcoopshop
NVD GitHub
CVSS 3.1
7.5
EPSS
0.5%
CVE-2023-46236 HIGH PATCH This Week

FOG is a free open-source cloning/imaging/rescue suite/inventory management system. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Server-Side Request Forgery (SSRF) vulnerability could allow attackers to make the server perform requests to unintended internal or external resources.

Apache SSRF Fogproject
NVD GitHub
CVSS 3.1
7.5
EPSS
0.5%
CVE-2023-46502 Maven CRITICAL PATCH Act Now

An issue in openCRX v.5.2.2 allows a remote attacker to read internal files and execute server side request forgery attack via insecure DocumentBuilderFactory. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This XML External Entity (XXE) vulnerability could allow attackers to read arbitrary files or perform SSRF through XML processing.

SSRF XXE Opencrx
NVD GitHub
CVSS 3.1
9.8
EPSS
0.7%
CVE-2023-43798 MEDIUM This Month

BigBlueButton is an open-source virtual classroom. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

SSRF Bigbluebutton
NVD GitHub
CVSS 3.1
5.4
EPSS
0.4%
CVE-2023-5798 HIGH POC This Week

The Assistant WordPress plugin before 1.4.4 does not validate a parameter before making a request to it via wp_remote_get(), which could allow users with a role as low as Editor to perform SSRF. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

SSRF WordPress Assistant
NVD WPScan
CVSS 3.1
8.8
EPSS
0.7%
CVE-2023-46124 PyPI HIGH PATCH This Week

Fides is an open-source privacy engineering platform for managing the fulfillment of data privacy requests in runtime environments, and the enforcement of privacy regulations in code. Rated high severity (CVSS 7.2), this vulnerability is remotely exploitable, low attack complexity. This Server-Side Request Forgery (SSRF) vulnerability could allow attackers to make the server perform requests to unintended internal or external resources.

SSRF Fides
NVD GitHub
CVSS 3.1
7.2
EPSS
0.7%
CVE-2023-43795 Maven CRITICAL POC PATCH THREAT Act Now

GeoServer is an open source software server written in Java that allows users to share and edit geospatial data. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Java SSRF Geoserver
NVD GitHub
CVSS 3.1
9.8
EPSS
67.7%
CVE-2023-41339 Maven MEDIUM PATCH This Month

GeoServer is an open source software server written in Java that allows users to share and edit geospatial data. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Java SSRF Geoserver
NVD GitHub
CVSS 3.1
5.3
EPSS
0.5%
CVE-2023-45966 HIGH POC This Week

umputun remark42 version 1.12.1 and before has a Blind Server-Side Request Forgery (SSRF) vulnerability. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

SSRF Remark42
NVD GitHub
CVSS 3.1
7.5
EPSS
0.6%
CVE-2023-46303 HIGH POC This Week

link_to_local_path in ebooks/conversion/plugins/html_input.py in calibre before 6.19.0 can, by default, add resources outside of the document root. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

SSRF Calibre
NVD GitHub
CVSS 3.1
7.5
EPSS
1.4%
CVE-2023-32786 PyPI HIGH PATCH This Week

In Langchain through 0.0.155, prompt injection allows an attacker to force the service to retrieve data from an arbitrary URL, essentially providing SSRF and potentially injecting content into. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

SSRF Langchain
NVD GitHub
CVSS 3.1
7.5
EPSS
0.6%
CVE-2023-44256 MEDIUM POC This Month

A server-side request forgery vulnerability [CWE-918] in Fortinet FortiAnalyzer version 7.4.0, version 7.2.0 through 7.2.3 and before 7.0.8 and FortiManager version 7.4.0, version 7.2.0 through 7.2.3. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

Fortinet Path Traversal SSRF Information Disclosure Fortianalyzer +1
NVD GitHub
CVSS 3.1
6.5
EPSS
1.2%
CVE-2023-41899 HIGH This Week

Home assistant is an open source home automation. Rated high severity (CVSS 7.2), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

SSRF Home Assistant
NVD GitHub
CVSS 3.1
7.2
EPSS
0.5%
CVE-2023-45822 Go MEDIUM PATCH This Month

Artifact Hub is a web-based application that enables finding, installing, and publishing packages and configurations for CNCF projects. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

SSRF Hub
NVD GitHub
CVSS 3.1
5.3
EPSS
0.5%
CVE-2023-25753 Maven MEDIUM PATCH This Month

There exists an SSRF (Server-Side Request Forgery) vulnerability located at the /sandbox/proxyGateway endpoint. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Apache SSRF Shenyu
NVD
CVSS 3.1
6.5
EPSS
0.8%
CVE-2023-46229 PyPI HIGH PATCH This Week

LangChain before 0.0.317 allows SSRF via document_loaders/recursive_url_loader.py because crawling can proceed from an external server to an internal server. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Server-Side Request Forgery (SSRF) vulnerability could allow attackers to make the server perform requests to unintended internal or external resources.

SSRF Langchain
NVD GitHub
CVSS 3.1
8.8
EPSS
44.7%
CVE-2023-45152 LOW POC PATCH Monitor

Engelsystem is a shift planning system for chaos events. Rated low severity (CVSS 2.3), this vulnerability is low attack complexity. Public exploit code available.

SSRF Engelsystem
NVD GitHub
CVSS 3.1
2.3
EPSS
0.3%
CVE-2023-45660 MEDIUM PATCH This Month

Nextcloud mail is an email app for the Nextcloud home server platform. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, low attack complexity. This Server-Side Request Forgery (SSRF) vulnerability could allow attackers to make the server perform requests to unintended internal or external resources.

SSRF Denial Of Service Nextcloud Mail
NVD GitHub
CVSS 3.1
4.3
EPSS
0.6%
CVE-2023-5572 npm CRITICAL POC PATCH Act Now

Server-Side Request Forgery (SSRF) in GitHub repository vriteio/vrite prior to 0.3.0. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

SSRF Vrite
NVD GitHub
CVSS 3.1
9.8
EPSS
0.8%
CVE-2023-26366 PHP MEDIUM PATCH This Month

Adobe Commerce versions 2.4.7-beta1 (and earlier), 2.4.6-p2 (and earlier), 2.4.5-p4 (and earlier) and 2.4.4-p5 (and earlier) are affected by a Server-Side Request Forgery (SSRF) vulnerability that. Rated medium severity (CVSS 6.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

SSRF Adobe Commerce Magento
NVD
CVSS 3.1
6.8
EPSS
0.6%
CVE-2023-41763 MEDIUM POC KEV PATCH THREAT This Month

Skype for Business Elevation of Privilege Vulnerability. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Server-Side Request Forgery (SSRF) vulnerability could allow attackers to make the server perform requests to unintended internal or external resources.

SSRF Skype For Business Server
NVD
CVSS 3.1
5.3
EPSS
90.4%
CVE-2023-42477 MEDIUM This Month

SAP NetWeaver AS Java (GRMG Heartbeat application) - version 7.50, allows an attacker to send a crafted request from a vulnerable web application, causing limited impact on confidentiality and. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

SAP Java SSRF Netweaver Application Server Java
NVD
CVSS 3.1
6.5
EPSS
0.4%
CVE-2023-39854 MEDIUM This Month

The web interface of ATX Ucrypt through 3.5 allows authenticated users (or attackers using default credentials for the admin, master, or user account) to include files via a URL in the. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

SSRF Ucrypt
NVD
CVSS 3.1
6.5
EPSS
0.4%
CVE-2023-44384 MEDIUM PATCH This Month

Discourse-jira is a Discourse plugin allows Jira projects, issue types, fields and field options will be synced automatically. Rated medium severity (CVSS 4.1), this vulnerability is remotely exploitable, low attack complexity.

SSRF Atlassian Discourse Jira
NVD GitHub
CVSS 3.1
4.1
EPSS
0.4%
CVE-2023-3744 HIGH This Week

Server-Side Request Forgery vulnerability in SLims version 9.6.0. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

SSRF PHP Senayan Library Management System
NVD
CVSS 3.1
8.8
EPSS
0.5%
CVE-2023-44469 MEDIUM PATCH This Month

A Server-Side Request Forgery issue in the OpenID Connect Issuer in LemonLDAP::NG before 2.17.1 allows authenticated remote attackers to send GET requests to arbitrary URLs through the request_uri. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, low attack complexity. This Server-Side Request Forgery (SSRF) vulnerability could allow attackers to make the server perform requests to unintended internal or external resources.

SSRF Lemonldap
NVD
CVSS 3.1
4.3
EPSS
0.5%
CVE-2023-43654 PyPI CRITICAL POC PATCH THREAT Act Now

TorchServe is a tool for serving and scaling PyTorch models in production. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

SSRF Information Disclosure Torchserve
NVD GitHub
CVSS 3.1
9.8
EPSS
35.3%
CVE-2023-41449 CRITICAL POC Act Now

An issue in phpkobo AjaxNewsTicker v.1.0.5 allows a remote attacker to execute arbitrary code via a crafted payload to the reque parameter. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

RCE SSRF Ajaxnewsticker
NVD GitHub VulDB
CVSS 3.1
9.8
EPSS
1.5%
CVE-2023-42812 MEDIUM POC This Month

Galaxy is an open-source platform for FAIR data analysis. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

SSRF Galaxy
NVD GitHub
CVSS 3.1
4.3
EPSS
0.3%
CVE-2023-38343 HIGH This Week

An XXE (XML external entity injection) vulnerability exists in the CSEP component of Ivanti Endpoint Manager before 2022 SU4. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Ivanti SSRF XXE Endpoint Manager
NVD GitHub
CVSS 3.1
7.5
EPSS
1.4%
CVE-2023-3025 HIGH PATCH This Week

The Dropbox Folder Share plugin for WordPress is vulnerable to Server-Side Request Forgery in versions up to, and including, 1.9.7 via the 'link' parameter. Rated high severity (CVSS 7.2), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Server-Side Request Forgery (SSRF) vulnerability could allow attackers to make the server perform requests to unintended internal or external resources.

SSRF WordPress Dropbox Folder Share
NVD VulDB
CVSS 3.1
7.2
EPSS
0.3%
CVE-2023-42439 PyPI MEDIUM POC PATCH This Month

GeoNode is an open source platform that facilitates the creation, sharing, and collaborative use of geospatial data. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available.

SSRF Geonode
NVD GitHub
CVSS 3.1
6.5
EPSS
0.8%
CVE-2023-42398 CRITICAL POC Act Now

An issue in zzCMS v.2023 allows a remote attacker to execute arbitrary code and obtain sensitive information via the ueditor component in controller.php. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

RCE SSRF PHP Zzcms
NVD GitHub
CVSS 3.1
9.8
EPSS
1.3%
CVE-2023-4893 MEDIUM This Month

The Crayon Syntax Highlighter plugin for WordPress is vulnerable to Server Side Request Forgery via the 'crayon' shortcode in versions up to, and including, 2.8.4. Rated medium severity (CVSS 6.4), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

WordPress SSRF Crayon Syntax Highlighter
NVD VulDB
CVSS 3.1
6.4
EPSS
0.1%
CVE-2023-4878 MEDIUM POC PATCH This Month

Server-Side Request Forgery (SSRF) in GitHub repository instantsoft/icms2 prior to 2.16.1-git. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available.

SSRF Instantcms
NVD GitHub
CVSS 3.1
5.4
EPSS
0.3%
CVE-2023-41327 Maven MEDIUM PATCH This Month

WireMock is a tool for mocking HTTP services. Rated medium severity (CVSS 5.4), this vulnerability is no authentication required, low attack complexity. This Server-Side Request Forgery (SSRF) vulnerability could allow attackers to make the server perform requests to unintended internal or external resources.

SSRF Docker Studio Wiremock
NVD GitHub
CVSS 3.1
5.4
EPSS
0.5%
CVE-2023-39967 CRITICAL POC Act Now

WireMock is a tool for mocking HTTP services. Rated critical severity (CVSS 10.0), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

SSRF Studio
NVD GitHub
CVSS 3.1
10.0
EPSS
0.8%
CVE-2023-41937 Maven HIGH PATCH This Week

Jenkins Bitbucket Push and Pull Request Plugin 2.4.0 through 2.8.3 (both inclusive) trusts values provided in the webhook payload, including certain URLs, and uses configured Bitbucket credentials to. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Jenkins SSRF Bitbucket Push And Pull Request
NVD
CVSS 3.1
7.5
EPSS
0.6%
CVE-2023-36388 PyPI MEDIUM PATCH This Month

Improper REST API permission in Apache Superset up to and including 2.1.0 allows for an authenticated Gamma users to test network connections, possible SSRF. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Apache SSRF Superset
NVD
CVSS 3.1
5.4
EPSS
0.8%
CVE-2023-40743 Maven CRITICAL PATCH Act Now

** UNSUPPORTED WHEN ASSIGNED ** When integrating Apache Axis 1.x in an application, it may not have been obvious that looking up a service through "ServiceFactory.getService" allows potentially. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Java Apache SSRF Axis
NVD GitHub
CVSS 3.1
9.8
EPSS
1.9%
CVE-2023-41055 HIGH POC PATCH This Week

LibreY is a fork of LibreX, a framework-less and javascript-free privacy respecting meta search engine. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

SSRF Google PHP Librey
NVD GitHub
CVSS 3.1
7.5
EPSS
0.7%
CVE-2023-41054 CRITICAL POC PATCH Act Now

LibreY is a fork of LibreX, a framework-less and javascript-free privacy respecting meta search engine. Rated critical severity (CVSS 9.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

SSRF PHP Librey
NVD GitHub
CVSS 3.1
9.1
EPSS
0.7%
CVE-2023-36088 HIGH POC This Week

Server Side Request Forgery (SSRF) vulnerability in NebulaGraph Studio version 3.7.0, allows remote attackers to gain sensitive information. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

SSRF Nebulagraph Studio
NVD GitHub VulDB
CVSS 3.1
7.5
EPSS
0.7%
CVE-2023-40969 MEDIUM POC This Month

Senayan Library Management Systems SLIMS 9 Bulian v9.6.1 is vulnerable to Server Side Request Forgery (SSRF) via admin/modules/bibliography/pop_p2p.php. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

SSRF PHP Senayan Library Management System
NVD GitHub
CVSS 3.1
6.1
EPSS
0.3%
CVE-2023-4651 MEDIUM POC PATCH This Month

Server-Side Request Forgery (SSRF) in GitHub repository instantsoft/icms2 prior to 2.16.1. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available.

SSRF Instantcms
NVD GitHub
CVSS 3.1
5.4
EPSS
0.3%
CVE-2023-4624 LOW POC PATCH Monitor

Server-Side Request Forgery (SSRF) in GitHub repository bookstackapp/bookstack prior to v23.08. Rated low severity (CVSS 2.4), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

SSRF Bookstack
NVD GitHub
CVSS 3.1
2.4
EPSS
0.5%
CVE-2023-40017 PyPI HIGH POC PATCH This Week

GeoNode is an open source platform that facilitates the creation, sharing, and collaborative use of geospatial data. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

SSRF Geonode
NVD GitHub
CVSS 3.1
7.5
EPSS
0.6%
CVE-2023-37440 MEDIUM This Month

A vulnerability in the web-based management interface of EdgeConnect SD-WAN Orchestrator could allow an unauthenticated remote attacker to conduct a server-side request forgery (SSRF) attack. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

SSRF Edgeconnect Sd Wan Orchestrator
NVD
CVSS 3.1
5.3
EPSS
0.4%
CVE-2023-24515 MEDIUM This Month

Server-Side Request Forgery (SSRF) vulnerability in API checker of Pandora FMS. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

SSRF Pandora Fms
NVD GitHub
CVSS 3.1
6.5
EPSS
0.4%
CVE-2023-35011 MEDIUM PATCH This Month

IBM Cognos Analytics 11.1.7, 11.2.0, and 11.2.1 is vulnerable to server-side request forgery (SSRF). Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity.

SSRF IBM Cognos Analytics
NVD
CVSS 3.1
5.4
EPSS
0.4%
CVE-2023-40033 PHP HIGH PATCH This Week

Flarum is an open source forum software. Rated high severity (CVSS 7.1), this vulnerability is remotely exploitable, low attack complexity. This Server-Side Request Forgery (SSRF) vulnerability could allow attackers to make the server perform requests to unintended internal or external resources.

SSRF Oracle Flarum
NVD GitHub
CVSS 3.1
7.1
EPSS
0.4%
CVE-2023-1977 HIGH POC This Week

The Booking Manager WordPress plugin before 2.0.29 does not validate URLs input in it's admin panel or in shortcodes for showing events from a remote .ics file, allowing an attacker with privileges. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

SSRF WordPress Booking Manager
NVD WPScan
CVSS 3.1
8.8
EPSS
0.8%
CVE-2023-3958 HIGH PATCH This Week

The WP Remote Users Sync plugin for WordPress is vulnerable to Server Side Request Forgery via the 'notify_ping_remote' AJAX function in versions up to, and including, 1.2.12. Rated high severity (CVSS 8.5), this vulnerability is remotely exploitable, low attack complexity. This Server-Side Request Forgery (SSRF) vulnerability could allow attackers to make the server perform requests to unintended internal or external resources.

WordPress SSRF Wp Remote Users Sync
NVD
CVSS 3.1
8.5
EPSS
0.2%
CVE-2023-26442 LOW Monitor

In case Cacheservice was configured to use a sproxyd object-storage backend, it would follow HTTP redirects issued by that backend. Rated low severity (CVSS 3.2), this vulnerability is no authentication required. No vendor patch available.

SSRF Open Xchange Appsuite Office
NVD
CVSS 3.1
3.2
EPSS
0.3%
CVE-2023-26438 LOW Monitor

External service lookups for a number of protocols were vulnerable to a time-of-check/time-of-use (TOCTOU) weakness, involving the JDK DNS cache. Rated low severity (CVSS 3.1), this vulnerability is remotely exploitable. No vendor patch available.

SSRF Open Xchange Appsuite Backend
NVD
CVSS 3.1
3.1
EPSS
0.5%
CVE-2023-39110 HIGH POC This Week

rconfig v3.9.4 was discovered to contain a Server-Side Request Forgery (SSRF) via the path parameter at /ajaxGetFileByPath.php. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

SSRF PHP Rconfig
NVD GitHub
CVSS 3.1
8.8
EPSS
2.7%
CVE-2023-39109 HIGH POC This Week

rconfig v3.9.4 was discovered to contain a Server-Side Request Forgery (SSRF) via the path_a parameter in the doDiff Function of /classes/compareClass.php. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

SSRF PHP Rconfig
NVD GitHub
CVSS 3.1
8.8
EPSS
3.0%
CVE-2023-39108 HIGH POC This Week

rconfig v3.9.4 was discovered to contain a Server-Side Request Forgery (SSRF) via the path_b parameter in the doDiff Function of /classes/compareClass.php. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

SSRF PHP Rconfig
NVD GitHub
CVSS 3.1
8.8
EPSS
3.0%
CVE-2023-3981 MEDIUM POC PATCH This Month

Server-Side Request Forgery (SSRF) in GitHub repository omeka/omeka-s prior to 4.0.2. Rated medium severity (CVSS 4.9), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available.

SSRF Omeka
NVD GitHub
CVSS 3.1
4.9
EPSS
0.6%
CVE-2023-38490 PHP CRITICAL PATCH Act Now

Kirby is a content management system. Rated critical severity (CVSS 10.0), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This XML External Entity (XXE) vulnerability could allow attackers to read arbitrary files or perform SSRF through XML processing.

SSRF XXE Kirby
NVD GitHub
CVSS 3.1
10.0
EPSS
1.5%
CVE-2021-35391 HIGH POC This Week

Server Side Request Forgery vulnerability found in Deskpro Support Desk v2021.21.6 allows attackers to execute arbitrary code via a crafted URL. Rated high severity (CVSS 7.2), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

RCE SSRF Deskpro
NVD
CVSS 3.1
7.2
EPSS
0.9%
CVE-2023-37290 HIGH This Week

InfoDoc Document On-line Submission and Approval System lacks sufficient restrictions on the available tags within its HTML to PDF conversion function, and allowing an unauthenticated attackers to. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

SSRF Authentication Bypass Document On Line Submission And Approval System
NVD
CVSS 3.1
7.5
EPSS
0.6%
CVE-2023-29260 MEDIUM PATCH This Month

IBM Sterling Connect:Express for UNIX 1.5 is vulnerable to server-side request forgery (SSRF). Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity.

SSRF IBM Sterling Connect
NVD
CVSS 3.1
5.4
EPSS
0.3%
CVE-2023-3577 MEDIUM This Month

Mattermost fails to properly restrict requests to localhost/intranet during the interactive dialog, which could allow an attacker to perform a limited blind SSRF. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Mattermost SSRF Mattermost Server
NVD
CVSS 3.1
4.3
EPSS
0.3%
CVE-2023-32052 MEDIUM PATCH This Month

Microsoft Power Apps (online) Spoofing Vulnerability. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. This Server-Side Request Forgery (SSRF) vulnerability could allow attackers to make the server perform requests to unintended internal or external resources.

SSRF Microsoft Power Apps
NVD
CVSS 3.1
5.4
EPSS
0.5%
CVE-2023-36925 HIGH This Week

SAP Solution Manager (Diagnostics agent) - version 7.20, allows an unauthenticated attacker to blindly execute HTTP requests. Rated high severity (CVSS 7.2), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

SAP SSRF Solution Manager
NVD
CVSS 3.1
7.2
EPSS
0.6%
CVE-2023-3578 CRITICAL POC Act Now

A vulnerability classified as critical was found in DedeCMS 5.7.109. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

SSRF PHP Dedecms
NVD GitHub VulDB
CVSS 3.1
9.8
EPSS
3.6%
CVE-2023-37262 HIGH PATCH This Week

CC: Tweaked is a mod for Minecraft which adds programmable computers, turtles, and more to the game. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. This Server-Side Request Forgery (SSRF) vulnerability could allow attackers to make the server perform requests to unintended internal or external resources.

SSRF Microsoft Cc Tweaked
NVD GitHub
CVSS 3.1
8.8
EPSS
0.9%
CVE-2023-37261 HIGH PATCH This Week

OpenComputers is a Minecraft mod that adds programmable computers and robots to the game.2.0 until 1.8.3 in their most common, default configurations. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. This Server-Side Request Forgery (SSRF) vulnerability could allow attackers to make the server perform requests to unintended internal or external resources.

SSRF Microsoft Opencomputers
NVD GitHub
CVSS 3.1
8.8
EPSS
0.8%
EPSS 1% CVSS 6.5
MEDIUM POC This Month

Book Stack version 23.10.2 allows filtering local files on the server. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

SSRF Bookstack
NVD
EPSS 1% CVSS 8.8
HIGH PATCH This Week

XWiki Platform is a generic wiki platform. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

SSRF Xwiki
NVD GitHub
EPSS 1% CVSS 6.5
MEDIUM POC This Month

An issue in PublicCMS v.4.0.202302.e allows a remote attacker to obtain sensitive information via the appToken and Parameters parameter of the api/method/getHtml component. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

SSRF Publiccms
NVD GitHub
EPSS 0% CVSS 4.3
MEDIUM POC PATCH This Month

Server-Side Request Forgery (SSRF) in GitHub repository salesagility/suitecrm prior to 7.14.2, 8.4.2, 7.12.14. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available.

SSRF Suitecrm
NVD GitHub
EPSS 0% CVSS 4.1
MEDIUM This Month

Server-Side Request Forgery (SSRF) vulnerability in StylemixThemes Motors - Car Dealer, Classifieds & Listing.4.6. Rated medium severity (CVSS 4.1), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

SSRF Motors Car Dealer Classifieds Listing
NVD
EPSS 0% CVSS 6.4
MEDIUM This Month

Server-Side Request Forgery (SSRF) vulnerability in Blubrry PowerPress Podcasting plugin by Blubrry.0.6. Rated medium severity (CVSS 6.4), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

SSRF Powerpress
NVD
EPSS 0% CVSS 5.5
MEDIUM This Month

Server-Side Request Forgery (SSRF) vulnerability in Andy Moyle Church Admin.7.56. Rated medium severity (CVSS 5.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

SSRF Church Admin
NVD
EPSS 0% CVSS 4.4
MEDIUM This Month

Server-Side Request Forgery (SSRF) vulnerability in Dimitar Ivanov HTTP Headers.18.11. Rated medium severity (CVSS 4.4), this vulnerability is remotely exploitable. No vendor patch available.

SSRF Http Headers
NVD
EPSS 0% CVSS 4.4
MEDIUM This Month

Server-Side Request Forgery (SSRF) vulnerability in Poll Maker Team Poll Maker - Best WordPress Poll Plugin.6.2. Rated medium severity (CVSS 4.4), this vulnerability is remotely exploitable. No vendor patch available.

SSRF WordPress Poll Maker
NVD
EPSS 0% CVSS 4.1
MEDIUM This Month

Server-Side Request Forgery (SSRF) vulnerability in WPChill Download Monitor.8.1. Rated medium severity (CVSS 4.1), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

SSRF Download Monitor
NVD
EPSS 0% CVSS 7.1
HIGH This Week

Server-Side Request Forgery (SSRF) vulnerability in Vova Anokhin WP Shortcodes Plugin - Shortcodes Ultimate.12.6. Rated high severity (CVSS 7.1), this vulnerability is remotely exploitable. No vendor patch available.

SSRF Shortcodes Ultimate
NVD
EPSS 0% CVSS 4.4
MEDIUM PATCH This Month

Server-Side Request Forgery (SSRF) vulnerability in WPGraphQL.14.5. Rated medium severity (CVSS 4.4), this vulnerability is remotely exploitable.

SSRF Wpgraphql
NVD
EPSS 71% 4.8 CVSS 5.8
MEDIUM POC THREAT This Month

Server-Side Request Forgery (SSRF) vulnerability in PhonePe PhonePe Payment Solutions.0.15. Rated medium severity (CVSS 5.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and EPSS exploitation probability 71.1%.

SSRF Phonepe
NVD
EPSS 1% CVSS 9.8
CRITICAL PATCH Act Now

Discourse is an open source platform for community discussion. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Server-Side Request Forgery (SSRF) vulnerability could allow attackers to make the server perform requests to unintended internal or external resources.

SSRF Discourse
NVD GitHub
EPSS 1% CVSS 6.1
MEDIUM PATCH This Month

sentry-javascript provides Sentry SDKs for JavaScript. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Server-Side Request Forgery (SSRF) vulnerability could allow attackers to make the server perform requests to unintended internal or external resources.

SSRF Sentry Software Development Kit
NVD GitHub
EPSS 1% CVSS 7.8
HIGH This Week

Local File Inclusion vulnerability in Midori-global Better PDF Exporter for Jira Server and Jira Data Center v.10.3.0 and before allows an attacker to view arbitrary files and cause other impacts via. Rated high severity (CVSS 7.8), this vulnerability is no authentication required, low attack complexity. No vendor patch available.

SSRF Atlassian Better Pdf Exporter
NVD
EPSS 1% CVSS 8.8
HIGH POC PATCH This Week

Group-Office is an enterprise CRM and groupware tool. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available.

SSRF PHP Microsoft +1
NVD GitHub
EPSS 0% CVSS 4.3
MEDIUM This Month

A server-side request forgery (SSRF) vulnerability has been reported to affect several QNAP operating system versions. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Qnap SSRF Qts +2
NVD
EPSS 3% CVSS 8.8
HIGH This Week

A SSRF vulnerability has been found in ManageEngine Desktop Central affecting version 9.1.0, specifically the /smtpConfig.do component. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

SSRF Zoho Manageengine Desktop Central
NVD
EPSS 1% CVSS 9.8
CRITICAL Act Now

Bon Presta boninstagramcarousel between v5.2.1 to v7.0.0 was discovered to contain a Server-Side Request Forgery (SSRF) via the url parameter at insta_parser.php. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

SSRF PHP Socialfeed Photos Video Using Instagram Api
NVD
EPSS 0% CVSS 5.4
MEDIUM PATCH This Month

IBM Content Navigator 3.0.13 is vulnerable to server-side request forgery (SSRF). Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity.

SSRF IBM Content Navigator
NVD
EPSS 0% CVSS 7.5
HIGH PATCH This Week

FoodCoopShop is open source software for food coops and local shops. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable. This Server-Side Request Forgery (SSRF) vulnerability could allow attackers to make the server perform requests to unintended internal or external resources.

SSRF Foodcoopshop
NVD GitHub
EPSS 0% CVSS 7.5
HIGH PATCH This Week

FOG is a free open-source cloning/imaging/rescue suite/inventory management system. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Server-Side Request Forgery (SSRF) vulnerability could allow attackers to make the server perform requests to unintended internal or external resources.

Apache SSRF Fogproject
NVD GitHub
EPSS 1% CVSS 9.8
CRITICAL PATCH Act Now

An issue in openCRX v.5.2.2 allows a remote attacker to read internal files and execute server side request forgery attack via insecure DocumentBuilderFactory. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This XML External Entity (XXE) vulnerability could allow attackers to read arbitrary files or perform SSRF through XML processing.

SSRF XXE Opencrx
NVD GitHub
EPSS 0% CVSS 5.4
MEDIUM This Month

BigBlueButton is an open-source virtual classroom. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

SSRF Bigbluebutton
NVD GitHub
EPSS 1% CVSS 8.8
HIGH POC This Week

The Assistant WordPress plugin before 1.4.4 does not validate a parameter before making a request to it via wp_remote_get(), which could allow users with a role as low as Editor to perform SSRF. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

SSRF WordPress Assistant
NVD WPScan
EPSS 1% CVSS 7.2
HIGH PATCH This Week

Fides is an open-source privacy engineering platform for managing the fulfillment of data privacy requests in runtime environments, and the enforcement of privacy regulations in code. Rated high severity (CVSS 7.2), this vulnerability is remotely exploitable, low attack complexity. This Server-Side Request Forgery (SSRF) vulnerability could allow attackers to make the server perform requests to unintended internal or external resources.

SSRF Fides
NVD GitHub
EPSS 68% CVSS 9.8
CRITICAL POC PATCH THREAT Act Now

GeoServer is an open source software server written in Java that allows users to share and edit geospatial data. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Java SSRF Geoserver
NVD GitHub
EPSS 1% CVSS 5.3
MEDIUM PATCH This Month

GeoServer is an open source software server written in Java that allows users to share and edit geospatial data. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Java SSRF Geoserver
NVD GitHub
EPSS 1% CVSS 7.5
HIGH POC This Week

umputun remark42 version 1.12.1 and before has a Blind Server-Side Request Forgery (SSRF) vulnerability. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

SSRF Remark42
NVD GitHub
EPSS 1% CVSS 7.5
HIGH POC This Week

link_to_local_path in ebooks/conversion/plugins/html_input.py in calibre before 6.19.0 can, by default, add resources outside of the document root. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

SSRF Calibre
NVD GitHub
EPSS 1% CVSS 7.5
HIGH PATCH This Week

In Langchain through 0.0.155, prompt injection allows an attacker to force the service to retrieve data from an arbitrary URL, essentially providing SSRF and potentially injecting content into. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

SSRF Langchain
NVD GitHub
EPSS 1% CVSS 6.5
MEDIUM POC This Month

A server-side request forgery vulnerability [CWE-918] in Fortinet FortiAnalyzer version 7.4.0, version 7.2.0 through 7.2.3 and before 7.0.8 and FortiManager version 7.4.0, version 7.2.0 through 7.2.3. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

Fortinet Path Traversal SSRF +3
NVD GitHub
EPSS 0% CVSS 7.2
HIGH This Week

Home assistant is an open source home automation. Rated high severity (CVSS 7.2), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

SSRF Home Assistant
NVD GitHub
EPSS 1% CVSS 5.3
MEDIUM PATCH This Month

Artifact Hub is a web-based application that enables finding, installing, and publishing packages and configurations for CNCF projects. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

SSRF Hub
NVD GitHub
EPSS 1% CVSS 6.5
MEDIUM PATCH This Month

There exists an SSRF (Server-Side Request Forgery) vulnerability located at the /sandbox/proxyGateway endpoint. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Apache SSRF Shenyu
NVD
EPSS 45% CVSS 8.8
HIGH PATCH This Week

LangChain before 0.0.317 allows SSRF via document_loaders/recursive_url_loader.py because crawling can proceed from an external server to an internal server. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Server-Side Request Forgery (SSRF) vulnerability could allow attackers to make the server perform requests to unintended internal or external resources.

SSRF Langchain
NVD GitHub
EPSS 0% CVSS 2.3
LOW POC PATCH Monitor

Engelsystem is a shift planning system for chaos events. Rated low severity (CVSS 2.3), this vulnerability is low attack complexity. Public exploit code available.

SSRF Engelsystem
NVD GitHub
EPSS 1% CVSS 4.3
MEDIUM PATCH This Month

Nextcloud mail is an email app for the Nextcloud home server platform. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, low attack complexity. This Server-Side Request Forgery (SSRF) vulnerability could allow attackers to make the server perform requests to unintended internal or external resources.

SSRF Denial Of Service Nextcloud +1
NVD GitHub
EPSS 1% CVSS 9.8
CRITICAL POC PATCH Act Now

Server-Side Request Forgery (SSRF) in GitHub repository vriteio/vrite prior to 0.3.0. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

SSRF Vrite
NVD GitHub
EPSS 1% CVSS 6.8
MEDIUM PATCH This Month

Adobe Commerce versions 2.4.7-beta1 (and earlier), 2.4.6-p2 (and earlier), 2.4.5-p4 (and earlier) and 2.4.4-p5 (and earlier) are affected by a Server-Side Request Forgery (SSRF) vulnerability that. Rated medium severity (CVSS 6.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

SSRF Adobe Commerce +1
NVD
EPSS 90% CVSS 5.3
MEDIUM POC KEV PATCH THREAT This Month

Skype for Business Elevation of Privilege Vulnerability. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Server-Side Request Forgery (SSRF) vulnerability could allow attackers to make the server perform requests to unintended internal or external resources.

SSRF Skype For Business Server
NVD
EPSS 0% CVSS 6.5
MEDIUM This Month

SAP NetWeaver AS Java (GRMG Heartbeat application) - version 7.50, allows an attacker to send a crafted request from a vulnerable web application, causing limited impact on confidentiality and. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

SAP Java SSRF +1
NVD
EPSS 0% CVSS 6.5
MEDIUM This Month

The web interface of ATX Ucrypt through 3.5 allows authenticated users (or attackers using default credentials for the admin, master, or user account) to include files via a URL in the. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

SSRF Ucrypt
NVD
EPSS 0% CVSS 4.1
MEDIUM PATCH This Month

Discourse-jira is a Discourse plugin allows Jira projects, issue types, fields and field options will be synced automatically. Rated medium severity (CVSS 4.1), this vulnerability is remotely exploitable, low attack complexity.

SSRF Atlassian Discourse Jira
NVD GitHub
EPSS 0% CVSS 8.8
HIGH This Week

Server-Side Request Forgery vulnerability in SLims version 9.6.0. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

SSRF PHP Senayan Library Management System
NVD
EPSS 1% CVSS 4.3
MEDIUM PATCH This Month

A Server-Side Request Forgery issue in the OpenID Connect Issuer in LemonLDAP::NG before 2.17.1 allows authenticated remote attackers to send GET requests to arbitrary URLs through the request_uri. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, low attack complexity. This Server-Side Request Forgery (SSRF) vulnerability could allow attackers to make the server perform requests to unintended internal or external resources.

SSRF Lemonldap
NVD
EPSS 35% CVSS 9.8
CRITICAL POC PATCH THREAT Act Now

TorchServe is a tool for serving and scaling PyTorch models in production. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

SSRF Information Disclosure Torchserve
NVD GitHub
EPSS 2% CVSS 9.8
CRITICAL POC Act Now

An issue in phpkobo AjaxNewsTicker v.1.0.5 allows a remote attacker to execute arbitrary code via a crafted payload to the reque parameter. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

RCE SSRF Ajaxnewsticker
NVD GitHub VulDB
EPSS 0% CVSS 4.3
MEDIUM POC This Month

Galaxy is an open-source platform for FAIR data analysis. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

SSRF Galaxy
NVD GitHub
EPSS 1% CVSS 7.5
HIGH This Week

An XXE (XML external entity injection) vulnerability exists in the CSEP component of Ivanti Endpoint Manager before 2022 SU4. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Ivanti SSRF XXE +1
NVD GitHub
EPSS 0% CVSS 7.2
HIGH PATCH This Week

The Dropbox Folder Share plugin for WordPress is vulnerable to Server-Side Request Forgery in versions up to, and including, 1.9.7 via the 'link' parameter. Rated high severity (CVSS 7.2), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Server-Side Request Forgery (SSRF) vulnerability could allow attackers to make the server perform requests to unintended internal or external resources.

SSRF WordPress Dropbox Folder Share
NVD VulDB
EPSS 1% CVSS 6.5
MEDIUM POC PATCH This Month

GeoNode is an open source platform that facilitates the creation, sharing, and collaborative use of geospatial data. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available.

SSRF Geonode
NVD GitHub
EPSS 1% CVSS 9.8
CRITICAL POC Act Now

An issue in zzCMS v.2023 allows a remote attacker to execute arbitrary code and obtain sensitive information via the ueditor component in controller.php. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

RCE SSRF PHP +1
NVD GitHub
EPSS 0% CVSS 6.4
MEDIUM This Month

The Crayon Syntax Highlighter plugin for WordPress is vulnerable to Server Side Request Forgery via the 'crayon' shortcode in versions up to, and including, 2.8.4. Rated medium severity (CVSS 6.4), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

WordPress SSRF Crayon Syntax Highlighter
NVD VulDB
EPSS 0% CVSS 5.4
MEDIUM POC PATCH This Month

Server-Side Request Forgery (SSRF) in GitHub repository instantsoft/icms2 prior to 2.16.1-git. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available.

SSRF Instantcms
NVD GitHub
EPSS 0% CVSS 5.4
MEDIUM PATCH This Month

WireMock is a tool for mocking HTTP services. Rated medium severity (CVSS 5.4), this vulnerability is no authentication required, low attack complexity. This Server-Side Request Forgery (SSRF) vulnerability could allow attackers to make the server perform requests to unintended internal or external resources.

SSRF Docker Studio +1
NVD GitHub
EPSS 1% CVSS 10.0
CRITICAL POC Act Now

WireMock is a tool for mocking HTTP services. Rated critical severity (CVSS 10.0), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

SSRF Studio
NVD GitHub
EPSS 1% CVSS 7.5
HIGH PATCH This Week

Jenkins Bitbucket Push and Pull Request Plugin 2.4.0 through 2.8.3 (both inclusive) trusts values provided in the webhook payload, including certain URLs, and uses configured Bitbucket credentials to. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Jenkins SSRF Bitbucket Push And Pull Request
NVD
EPSS 1% CVSS 5.4
MEDIUM PATCH This Month

Improper REST API permission in Apache Superset up to and including 2.1.0 allows for an authenticated Gamma users to test network connections, possible SSRF. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Apache SSRF Superset
NVD
EPSS 2% CVSS 9.8
CRITICAL PATCH Act Now

** UNSUPPORTED WHEN ASSIGNED ** When integrating Apache Axis 1.x in an application, it may not have been obvious that looking up a service through "ServiceFactory.getService" allows potentially. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Java Apache SSRF +1
NVD GitHub
EPSS 1% CVSS 7.5
HIGH POC PATCH This Week

LibreY is a fork of LibreX, a framework-less and javascript-free privacy respecting meta search engine. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

SSRF Google PHP +1
NVD GitHub
EPSS 1% CVSS 9.1
CRITICAL POC PATCH Act Now

LibreY is a fork of LibreX, a framework-less and javascript-free privacy respecting meta search engine. Rated critical severity (CVSS 9.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

SSRF PHP Librey
NVD GitHub
EPSS 1% CVSS 7.5
HIGH POC This Week

Server Side Request Forgery (SSRF) vulnerability in NebulaGraph Studio version 3.7.0, allows remote attackers to gain sensitive information. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

SSRF Nebulagraph Studio
NVD GitHub VulDB
EPSS 0% CVSS 6.1
MEDIUM POC This Month

Senayan Library Management Systems SLIMS 9 Bulian v9.6.1 is vulnerable to Server Side Request Forgery (SSRF) via admin/modules/bibliography/pop_p2p.php. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

SSRF PHP Senayan Library Management System
NVD GitHub
EPSS 0% CVSS 5.4
MEDIUM POC PATCH This Month

Server-Side Request Forgery (SSRF) in GitHub repository instantsoft/icms2 prior to 2.16.1. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available.

SSRF Instantcms
NVD GitHub
EPSS 1% CVSS 2.4
LOW POC PATCH Monitor

Server-Side Request Forgery (SSRF) in GitHub repository bookstackapp/bookstack prior to v23.08. Rated low severity (CVSS 2.4), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

SSRF Bookstack
NVD GitHub
EPSS 1% CVSS 7.5
HIGH POC PATCH This Week

GeoNode is an open source platform that facilitates the creation, sharing, and collaborative use of geospatial data. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

SSRF Geonode
NVD GitHub
EPSS 0% CVSS 5.3
MEDIUM This Month

A vulnerability in the web-based management interface of EdgeConnect SD-WAN Orchestrator could allow an unauthenticated remote attacker to conduct a server-side request forgery (SSRF) attack. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

SSRF Edgeconnect Sd Wan Orchestrator
NVD
EPSS 0% CVSS 6.5
MEDIUM This Month

Server-Side Request Forgery (SSRF) vulnerability in API checker of Pandora FMS. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

SSRF Pandora Fms
NVD GitHub
EPSS 0% CVSS 5.4
MEDIUM PATCH This Month

IBM Cognos Analytics 11.1.7, 11.2.0, and 11.2.1 is vulnerable to server-side request forgery (SSRF). Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity.

SSRF IBM Cognos Analytics
NVD
EPSS 0% CVSS 7.1
HIGH PATCH This Week

Flarum is an open source forum software. Rated high severity (CVSS 7.1), this vulnerability is remotely exploitable, low attack complexity. This Server-Side Request Forgery (SSRF) vulnerability could allow attackers to make the server perform requests to unintended internal or external resources.

SSRF Oracle Flarum
NVD GitHub
EPSS 1% CVSS 8.8
HIGH POC This Week

The Booking Manager WordPress plugin before 2.0.29 does not validate URLs input in it's admin panel or in shortcodes for showing events from a remote .ics file, allowing an attacker with privileges. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

SSRF WordPress Booking Manager
NVD WPScan
EPSS 0% CVSS 8.5
HIGH PATCH This Week

The WP Remote Users Sync plugin for WordPress is vulnerable to Server Side Request Forgery via the 'notify_ping_remote' AJAX function in versions up to, and including, 1.2.12. Rated high severity (CVSS 8.5), this vulnerability is remotely exploitable, low attack complexity. This Server-Side Request Forgery (SSRF) vulnerability could allow attackers to make the server perform requests to unintended internal or external resources.

WordPress SSRF Wp Remote Users Sync
NVD
EPSS 0% CVSS 3.2
LOW Monitor

In case Cacheservice was configured to use a sproxyd object-storage backend, it would follow HTTP redirects issued by that backend. Rated low severity (CVSS 3.2), this vulnerability is no authentication required. No vendor patch available.

SSRF Open Xchange Appsuite Office
NVD
EPSS 0% CVSS 3.1
LOW Monitor

External service lookups for a number of protocols were vulnerable to a time-of-check/time-of-use (TOCTOU) weakness, involving the JDK DNS cache. Rated low severity (CVSS 3.1), this vulnerability is remotely exploitable. No vendor patch available.

SSRF Open Xchange Appsuite Backend
NVD
EPSS 3% CVSS 8.8
HIGH POC This Week

rconfig v3.9.4 was discovered to contain a Server-Side Request Forgery (SSRF) via the path parameter at /ajaxGetFileByPath.php. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

SSRF PHP Rconfig
NVD GitHub
EPSS 3% CVSS 8.8
HIGH POC This Week

rconfig v3.9.4 was discovered to contain a Server-Side Request Forgery (SSRF) via the path_a parameter in the doDiff Function of /classes/compareClass.php. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

SSRF PHP Rconfig
NVD GitHub
EPSS 3% CVSS 8.8
HIGH POC This Week

rconfig v3.9.4 was discovered to contain a Server-Side Request Forgery (SSRF) via the path_b parameter in the doDiff Function of /classes/compareClass.php. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

SSRF PHP Rconfig
NVD GitHub
EPSS 1% CVSS 4.9
MEDIUM POC PATCH This Month

Server-Side Request Forgery (SSRF) in GitHub repository omeka/omeka-s prior to 4.0.2. Rated medium severity (CVSS 4.9), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available.

SSRF Omeka
NVD GitHub
EPSS 2% CVSS 10.0
CRITICAL PATCH Act Now

Kirby is a content management system. Rated critical severity (CVSS 10.0), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This XML External Entity (XXE) vulnerability could allow attackers to read arbitrary files or perform SSRF through XML processing.

SSRF XXE Kirby
NVD GitHub
EPSS 1% CVSS 7.2
HIGH POC This Week

Server Side Request Forgery vulnerability found in Deskpro Support Desk v2021.21.6 allows attackers to execute arbitrary code via a crafted URL. Rated high severity (CVSS 7.2), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

RCE SSRF Deskpro
NVD
EPSS 1% CVSS 7.5
HIGH This Week

InfoDoc Document On-line Submission and Approval System lacks sufficient restrictions on the available tags within its HTML to PDF conversion function, and allowing an unauthenticated attackers to. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

SSRF Authentication Bypass Document On Line Submission And Approval System
NVD
EPSS 0% CVSS 5.4
MEDIUM PATCH This Month

IBM Sterling Connect:Express for UNIX 1.5 is vulnerable to server-side request forgery (SSRF). Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity.

SSRF IBM Sterling Connect
NVD
EPSS 0% CVSS 4.3
MEDIUM This Month

Mattermost fails to properly restrict requests to localhost/intranet during the interactive dialog, which could allow an attacker to perform a limited blind SSRF. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Mattermost SSRF Mattermost Server
NVD
EPSS 1% CVSS 5.4
MEDIUM PATCH This Month

Microsoft Power Apps (online) Spoofing Vulnerability. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. This Server-Side Request Forgery (SSRF) vulnerability could allow attackers to make the server perform requests to unintended internal or external resources.

SSRF Microsoft Power Apps
NVD
EPSS 1% CVSS 7.2
HIGH This Week

SAP Solution Manager (Diagnostics agent) - version 7.20, allows an unauthenticated attacker to blindly execute HTTP requests. Rated high severity (CVSS 7.2), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

SAP SSRF Solution Manager
NVD
EPSS 4% CVSS 9.8
CRITICAL POC Act Now

A vulnerability classified as critical was found in DedeCMS 5.7.109. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

SSRF PHP Dedecms
NVD GitHub VulDB
EPSS 1% CVSS 8.8
HIGH PATCH This Week

CC: Tweaked is a mod for Minecraft which adds programmable computers, turtles, and more to the game. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. This Server-Side Request Forgery (SSRF) vulnerability could allow attackers to make the server perform requests to unintended internal or external resources.

SSRF Microsoft Cc Tweaked
NVD GitHub
EPSS 1% CVSS 8.8
HIGH PATCH This Week

OpenComputers is a Minecraft mod that adds programmable computers and robots to the game.2.0 until 1.8.3 in their most common, default configurations. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. This Server-Side Request Forgery (SSRF) vulnerability could allow attackers to make the server perform requests to unintended internal or external resources.

SSRF Microsoft Opencomputers
NVD GitHub
Prev Page 23 of 32 Next

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy