Skip to main content

SSRF

2869 CVEs technique

Monthly

CVE-2022-25800 CRITICAL PATCH Act Now

Best Practical RT for Incident Response (RTIR) before 4.0.3 and 5.x before 5.0.3 allows SSRF via the whois lookup tool. Rated critical severity (CVSS 9.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Server-Side Request Forgery (SSRF) vulnerability could allow attackers to make the server perform requests to unintended internal or external resources.

SSRF Request Tracker For Incident Response
NVD
CVSS 3.1
9.1
EPSS
0.8%
CVE-2022-22982 HIGH This Week

The vCenter Server contains a server-side request forgery (SSRF) vulnerability. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

VMware SSRF Cloud Foundation Vcenter Server
NVD
CVSS 3.1
7.5
EPSS
0.9%
CVE-2022-2339 HIGH POC PATCH This Week

With this SSRF vulnerability, an attacker can reach internal addresses to make a request as the server and read it's contents. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

SSRF Nocodb
NVD GitHub
CVSS 3.1
7.5
EPSS
1.8%
CVE-2022-32533 Maven CRITICAL Act Now

Apache Jetspeed-2 does not sufficiently filter untrusted user input by default leading to a number of issues including XSS, CSRF, XXE, and SSRF. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

SSRF XSS CSRF Apache XXE +1
NVD
CVSS 3.1
9.8
EPSS
3.8%
CVE-2022-25876 npm MEDIUM POC PATCH This Month

The package link-preview-js before 2.1.16 are vulnerable to Server-side Request Forgery (SSRF) which allows attackers to send arbitrary requests to the local network and read the response. Rated medium severity (CVSS 5.5), this vulnerability is low attack complexity. Public exploit code available.

SSRF Link Preview Js
NVD GitHub
CVSS 3.1
5.5
EPSS
0.4%
CVE-2022-26135 MEDIUM This Month

A vulnerability in Mobile Plugin for Jira Data Center and Server allows a remote, authenticated user (including a user who joined via the sign-up feature) to perform a full read server-side request. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

SSRF Atlassian Jira Data Center Jira Server Jira Service Desk +1
NVD
CVSS 3.1
6.5
EPSS
71.2%
CVE-2022-0085 PHP MEDIUM POC PATCH This Month

Server-Side Request Forgery (SSRF) in GitHub repository dompdf/dompdf prior to 2.0.0. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

SSRF Dompdf
NVD GitHub
CVSS 3.1
5.3
EPSS
1.0%
CVE-2022-32995 CRITICAL POC THREAT Act Now

Halo CMS v1.5.3 was discovered to contain a Server-Side Request Forgery (SSRF) via the template remote download function. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

SSRF Halo
NVD GitHub
CVSS 3.1
9.8
EPSS
15.9%
CVE-2022-2216 npm CRITICAL POC PATCH Act Now

Server-Side Request Forgery (SSRF) in GitHub repository ionicabizau/parse-url prior to 7.0.0. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

SSRF Parse Url
NVD GitHub
CVSS 3.1
9.8
EPSS
1.5%
CVE-2022-1977 HIGH POC This Week

The Import Export All WordPress Images, Users & Post Types WordPress plugin before 6.5.3 does not fully validate the file to be imported via an URL before making an HTTP request to it, which could. Rated high severity (CVSS 7.2), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

SSRF WordPress Import All Pages Post Types Products Orders And Users As Xml Csv
NVD WPScan
CVSS 3.1
7.2
EPSS
1.3%
CVE-2022-23170 CRITICAL Act Now

SysAid - Okta SSO integration - was found vulnerable to XML External Entity Injection vulnerability. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

SSRF XXE Okta Sso
NVD
CVSS 3.1
9.8
EPSS
0.6%
CVE-2022-34013 MEDIUM POC This Month

OneBlog v2.3.4 was discovered to contain a Server-Side Request Forgery (SSRF) vulnerability via the Logo parameter under the Link module. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

SSRF Oneblog
NVD
CVSS 3.1
4.3
EPSS
0.5%
CVE-2022-34011 MEDIUM POC This Month

OneBlog v2.3.4 was discovered to contain a Server-Side Request Forgery (SSRF) vulnerability via the parameter entryUrls. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

SSRF Oneblog
NVD
CVSS 3.1
4.3
EPSS
0.5%
CVE-2022-23080 npm MEDIUM POC PATCH This Month

In directus versions v9.0.0-beta.2 through 9.6.0 are vulnerable to server-side request forgery (SSRF) in the media upload functionality which allows a low privileged user to perform internal network. Rated medium severity (CVSS 5.0), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available.

SSRF Directus
NVD GitHub
CVSS 3.1
5.0
EPSS
0.8%
CVE-2022-23071 MEDIUM POC PATCH This Month

In Recipes, versions 0.9.1 through 1.2.5 are vulnerable to Server Side Request Forgery (SSRF), in the “Import Recipe” functionality. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available.

SSRF Recipes
NVD GitHub
CVSS 3.1
6.5
EPSS
1.0%
CVE-2022-29612 MEDIUM This Month

SAP NetWeaver, ABAP Platform and SAP Host Agent - versions KERNEL 7.22, 7.49, 7.53, 7.77, 7.81, 7.85, 7.86, 7.87, 7.88, 8.04, KRNL64NUC 7.22, 7.22EXT, 7.49, KRNL64UC 7.22, 7.22EXT, 7.49, 7.53, 8.04,. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

SSRF SAP Host Agent Netweaver Abap
NVD
CVSS 3.1
4.3
EPSS
0.6%
CVE-2022-28217 MEDIUM This Month

Some part of SAP NetWeaver (EP Web Page Composer) does not sufficiently validate an XML document accepted from an untrusted source, which allows an adversary to exploit unprotected XML parking at. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

SSRF SAP Netweaver
NVD
CVSS 3.1
6.5
EPSS
0.7%
CVE-2022-24969 Maven MEDIUM PATCH This Month

bypass CVE-2021-25640 > In Apache Dubbo prior to 2.6.12 and 2.7.15, the usage of parseURL method will lead to the bypass of the white host check which can cause open redirect or SSRF vulnerability. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

SSRF Apache Open Redirect Dubbo
NVD
CVSS 3.1
6.1
EPSS
1.7%
CVE-2022-31830 npm CRITICAL POC THREAT Act Now

Kity Minder v1.3.5 was discovered to contain a Server-Side Request Forgery (SSRF) via the init function at ImageCapture.class.php. Rated critical severity (CVSS 9.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

PHP SSRF Kity Minder
NVD GitHub
CVSS 3.1
9.1
EPSS
15.0%
CVE-2022-31827 CRITICAL POC THREAT Act Now

MonstaFTP v2.10.3 was discovered to contain a Server-Side Request Forgery (SSRF) via the function performFetchRequest at HTTPFetcher.php. Rated critical severity (CVSS 9.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

PHP SSRF Monstaftp
NVD GitHub
CVSS 3.1
9.1
EPSS
19.6%
CVE-2022-31393 CRITICAL POC Act Now

Jizhicms v2.2.5 was discovered to contain a Server-Side Request Forgery (SSRF) vulnerability via the Index function in app/admin/c/PluginsController.php. Rated critical severity (CVSS 9.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

PHP SSRF Jizhicms
NVD GitHub
CVSS 3.1
9.1
EPSS
1.0%
CVE-2022-31390 CRITICAL POC Act Now

Jizhicms v2.2.5 was discovered to contain a Server-Side Request Forgery (SSRF) vulnerability via the Update function in app/admin/c/TemplateController.php. Rated critical severity (CVSS 9.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

PHP SSRF Jizhicms
NVD GitHub
CVSS 3.1
9.1
EPSS
1.0%
CVE-2022-31386 CRITICAL POC Act Now

A Server-Side Request Forgery (SSRF) in the getFileBinary function of nbnbk cms 3 allows attackers to force the application to make arbitrary requests via injection of arbitrary URLs into the URL. Rated critical severity (CVSS 9.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

SSRF Nbnbk
NVD GitHub
CVSS 3.1
9.1
EPSS
1.0%
CVE-2022-29631 Maven HIGH POC PATCH This Week

Jodd HTTP v6.0.9 was discovered to contain multiple CLRF injection vulnerabilities via the components jodd.http.HttpRequest#set and `jodd.http.HttpRequest#send. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

SSRF Jodd Http
NVD GitHub
CVSS 3.1
7.5
EPSS
0.9%
CVE-2022-1285 Go MEDIUM POC PATCH This Month

Server-Side Request Forgery (SSRF) in GitHub repository gogs/gogs prior to 0.12.8. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

SSRF Gogs
NVD GitHub
CVSS 3.1
6.5
EPSS
1.2%
CVE-2022-29309 HIGH POC This Week

mysiteforme v2.2.1 was discovered to contain a Server-Side Request Forgery. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

SSRF Mysiteforme
NVD GitHub
CVSS 3.1
7.5
EPSS
0.9%
CVE-2022-28997 HIGH POC This Week

CSZCMS v1.3.0 allows attackers to execute a Server-Side Request Forgery (SSRF) which can be leveraged to leak sensitive data via a local file inclusion at /admin/filemanager/connector/. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

SSRF Information Disclosure Cszcms
NVD
CVSS 3.1
7.5
EPSS
1.9%
CVE-2022-29188 Go MEDIUM PATCH This Month

Smokescreen is an HTTP proxy. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Server-Side Request Forgery (SSRF) vulnerability could allow attackers to make the server perform requests to unintended internal or external resources.

SSRF Smokescreen
NVD GitHub
CVSS 3.1
6.5
EPSS
0.8%
CVE-2022-1784 HIGH POC PATCH This Week

Server-Side Request Forgery (SSRF) in GitHub repository jgraph/drawio prior to 18.0.8. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

SSRF Drawio
NVD GitHub
CVSS 3.1
7.5
EPSS
1.7%
CVE-2022-1767 HIGH POC PATCH This Week

Server-Side Request Forgery (SSRF) in GitHub repository jgraph/drawio prior to 18.0.7. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

SSRF Drawio
NVD GitHub
CVSS 3.1
7.5
EPSS
1.7%
CVE-2022-28616 CRITICAL PATCH Act Now

A remote server-side request forgery (ssrf) vulnerability was discovered in HPE OneView version(s): Prior to 7.0. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

SSRF Oneview
NVD
CVSS 3.1
9.8
EPSS
1.3%
CVE-2022-24856 HIGH POC PATCH THREAT This Week

FlyteConsole is the web user interface for the Flyte platform. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Server-Side Request Forgery (SSRF) vulnerability could allow attackers to make the server perform requests to unintended internal or external resources.

SSRF Flyte Console
NVD GitHub
CVSS 3.1
7.5
EPSS
10.3%
CVE-2022-30972 Maven HIGH This Week

A cross-site request forgery (CSRF) vulnerability in Jenkins Storable Configs Plugin 1.0 and earlier allows attackers to have Jenkins parse a local XML file (e.g., archived artifacts) that uses. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

SSRF CSRF Jenkins Storage Configs
NVD
CVSS 3.1
8.8
EPSS
0.6%
CVE-2022-1711 HIGH POC PATCH This Week

Server-Side Request Forgery (SSRF) in GitHub repository jgraph/drawio prior to 18.0.5. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

SSRF Drawio
NVD GitHub
CVSS 3.1
7.5
EPSS
5.7%
CVE-2022-1723 HIGH POC PATCH This Week

Server-Side Request Forgery (SSRF) in GitHub repository jgraph/drawio prior to 18.0.6. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

SSRF Drawio
NVD GitHub
CVSS 3.1
7.5
EPSS
1.7%
CVE-2022-23668 MEDIUM This Month

A remote authenticated server-side request forgery (ssrf) vulnerability was discovered in Aruba ClearPass Policy Manager version(s): 6.10.4 and below, 6.9.9 and below, 6.8.9-HF2 and below, 6.7.x and. Rated medium severity (CVSS 4.9), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

SSRF Aruba Clearpass Policy Manager
NVD
CVSS 3.1
4.9
EPSS
0.9%
CVE-2022-1722 LOW POC PATCH Monitor

SSRF in editor's proxy via IPv6 link-local address in GitHub repository jgraph/drawio prior to 18.0.5. Rated low severity (CVSS 3.3), this vulnerability is low attack complexity. Public exploit code available.

SSRF Drawio
NVD GitHub
CVSS 3.1
3.3
EPSS
0.5%
CVE-2022-1713 HIGH POC PATCH This Week

SSRF on /proxy in GitHub repository jgraph/drawio prior to 18.0.4. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

SSRF Drawio
NVD GitHub
CVSS 3.1
7.5
EPSS
9.2%
CVE-2022-1398 MEDIUM POC This Month

The External Media without Import WordPress plugin through 1.1.2 does not have any authorisation and does to ensure that medias added via URLs are external medias, which could allow any authenticated. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

SSRF WordPress External Media Without Import
NVD WPScan
CVSS 3.1
6.5
EPSS
2.9%
CVE-2022-1386 CRITICAL POC PATCH THREAT Act Now

The Fusion Builder WordPress plugin before 3.6.2, used in the Avada theme, does not validate a parameter in its forms which could be used to initiate arbitrary HTTP requests. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

SSRF WordPress Fusion Builder Avada
NVD WPScan
CVSS 3.1
9.8
EPSS
71.7%
CVE-2022-30049 HIGH POC This Week

A Server-Side Request Forgery (SSRF) in Rebuild v2.8.3 allows attackers to obtain the real IP address and scan Intranet information via the fileurl parameter. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

SSRF Rebuild
NVD GitHub
CVSS 3.1
7.5
EPSS
1.0%
CVE-2022-1379 CRITICAL POC PATCH Act Now

URL Restriction Bypass in GitHub repository plantuml/plantuml prior to V1.2022.5. Rated critical severity (CVSS 9.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

SSRF Plantuml Fedora
NVD GitHub
CVSS 3.1
9.1
EPSS
1.5%
CVE-2020-22983 HIGH This Week

A Server-Side Request Forgery (SSRF) vulnerability exists in MicroStrategy Web SDK 11.1 and earlier, allows remote unauthenticated attackers to conduct a server-side request forgery (SSRF) attack via. Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

SSRF Microstrategy Web
NVD VulDB
CVSS 3.1
8.1
EPSS
2.3%
CVE-2022-29848 MEDIUM POC This Month

In Progress Ipswitch WhatsUp Gold 17.0.0 through 21.1.1, and 22.0.0, it is possible for an authenticated user to invoke an API transaction that would allow them to read sensitive operating-system. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

SSRF Whatsup Gold
NVD GitHub
CVSS 3.1
6.5
EPSS
3.5%
CVE-2022-29847 HIGH POC THREAT This Week

In Progress Ipswitch WhatsUp Gold 21.0.0 through 21.1.1, and 22.0.0, it is possible for an unauthenticated attacker to invoke an API transaction that would allow them to relay encrypted WhatsUp Gold. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

SSRF Whatsup Gold
NVD GitHub
CVSS 3.1
7.5
EPSS
55.9%
CVE-2022-29180 Go CRITICAL PATCH Act Now

A vulnerability in which attackers could forge HTTP requests to manipulate the `charm` data directory to access or delete anything on the server. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Server-Side Request Forgery (SSRF) vulnerability could allow attackers to make the server perform requests to unintended internal or external resources.

SSRF Docker Charm
NVD GitHub
CVSS 3.1
9.8
EPSS
0.7%
CVE-2022-1592 PyPI HIGH POC PATCH This Week

Server-Side Request Forgery in scout in GitHub repository clinical-genomics/scout prior to v4.42. Rated high severity (CVSS 8.2), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

SSRF XSS Scout
NVD GitHub
CVSS 3.1
8.2
EPSS
1.1%
CVE-2022-29942 MEDIUM This Month

Talend Administration Center has a vulnerability that allows an authenticated user to use the Service Registry 'Add' functionality to perform SSRF HTTP GET requests on URLs in the internal network. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

SSRF Administration Center
NVD
CVSS 3.1
6.5
EPSS
0.6%
CVE-2022-28090 MEDIUM POC This Month

Jspxcms v10.2.0 allows attackers to execute a Server-Side Request Forgery (SSRF) via /cmscp/ext/collect/fetch_url.do?url=. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

SSRF Jspxcms
NVD
CVSS 3.1
6.5
EPSS
1.0%
CVE-2022-1239 HIGH POC This Week

The HubSpot WordPress plugin before 8.8.15 does not validate the proxy URL given to the proxy REST endpoint, which could allow users with the edit_posts capability (by default contributor and above). Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

SSRF WordPress Hubspot
NVD WPScan
CVSS 3.1
8.8
EPSS
1.4%
CVE-2022-25850 Go HIGH POC PATCH This Week

The package github.com/hoppscotch/proxyscotch before 1.0.0 are vulnerable to Server-side Request Forgery (SSRF) when interceptor mode is set to proxy. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

SSRF Proxyscotch
NVD GitHub
CVSS 3.1
7.5
EPSS
1.3%
CVE-2022-24449 CRITICAL Act Now

Solar appScreener through 3.10.4, when a valid license is not present, allows XXE and SSRF attacks via a crafted XML document. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

SSRF XXE Solar Appscreener
NVD GitHub
CVSS 3.1
9.8
EPSS
1.9%
CVE-2022-29556 CRITICAL Act Now

The iot-manager microservice 1.0.0 in Northern.tech Mender Enterprise before 3.2.2 allows SSRF because the Azure IoT Hub integration provides several SSRF primitives that can execute cross-tenant. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

SSRF Microsoft Mender
NVD
CVSS 3.1
9.8
EPSS
1.0%
CVE-2022-28117 MEDIUM POC THREAT This Month

A Server-Side Request Forgery (SSRF) in feed_parser class of Navigate CMS v2.9.4 allows remote attackers to force the application to make arbitrary requests via injection of arbitrary URLs into the. Rated medium severity (CVSS 4.9), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

SSRF Navigate Cms
NVD Exploit-DB
CVSS 3.1
4.9
EPSS
21.9%
CVE-2022-27469 CRITICAL POC Act Now

Monstaftp v2.10.3 was discovered to allow attackers to execute Server-Side Request Forgery (SSRF). Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

SSRF Monsta Ftp
NVD
CVSS 3.1
9.8
EPSS
1.4%
CVE-2022-27429 CRITICAL POC Act Now

Jizhicms v1.9.5 was discovered to contain a Server-Side Request Forgery (SSRF) vulnerability via /admin.php/Plugins/update.html. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

PHP SSRF Jizhicms
NVD GitHub
CVSS 3.1
9.8
EPSS
1.1%
CVE-2022-27311 Ruby CRITICAL PATCH Act Now

Gibbon v3.4.4 and below allows attackers to execute a Server-Side Request Forgery (SSRF) via a crafted URL. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

SSRF Gibbon
NVD GitHub
CVSS 3.1
9.8
EPSS
1.5%
CVE-2022-24871 PHP MEDIUM PATCH This Month

Shopware is an open commerce platform based on Symfony Framework and Vue. Rated medium severity (CVSS 5.5), this vulnerability is remotely exploitable, low attack complexity. This Server-Side Request Forgery (SSRF) vulnerability could allow attackers to make the server perform requests to unintended internal or external resources.

SSRF Shopware
NVD GitHub
CVSS 3.1
5.5
EPSS
1.0%
CVE-2022-24862 HIGH POC This Week

Databasir is a team-oriented relational database model document management platform. Rated high severity (CVSS 7.7), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

SSRF Databasir
NVD GitHub
CVSS 3.1
7.7
EPSS
1.0%
CVE-2022-24825 Go MEDIUM PATCH This Month

Smokescreen is a simple HTTP proxy that fogs over naughty URLs. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

SSRF Smokescreen
NVD GitHub
CVSS 3.1
5.3
EPSS
0.9%
CVE-2022-29153 Go HIGH POC PATCH This Week

HashiCorp Consul and Consul Enterprise up to 1.9.16, 1.10.9, and 1.11.4 may allow server side request forgery when the Consul client agent follows redirects returned by HTTP health check endpoints. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

SSRF Hashicorp HashiCorp Consul Fedora
NVD
CVSS 3.1
7.5
EPSS
8.7%
CVE-2022-1037 HIGH POC This Week

The EXMAGE WordPress plugin before 1.0.7 does to ensure that images added via URLs are external images, which could lead to a blind SSRF issue by using local URLs. Rated high severity (CVSS 7.2), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

SSRF WordPress Exmage
NVD WPScan
CVSS 3.1
7.2
EPSS
1.3%
CVE-2022-27426 HIGH PATCH This Week

A Server-Side Request Forgery (SSRF) in Chamilo LMS v1.11.13 allows attackers to enumerate the internal network and execute arbitrary system commands via a crafted Phar file. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity.

SSRF Chamilo Lms
NVD
CVSS 3.1
8.8
EPSS
0.8%
CVE-2022-26499 CRITICAL PATCH Act Now

An SSRF issue was discovered in Asterisk through 19.x. Rated critical severity (CVSS 9.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Server-Side Request Forgery (SSRF) vulnerability could allow attackers to make the server perform requests to unintended internal or external resources.

SSRF Asterisk Debian Linux
NVD
CVSS 3.1
9.1
EPSS
7.7%
CVE-2022-22339 HIGH PATCH This Week

IBM Planning Analytics 2.0 is vulnerable to server-side request forgery (SSRF). Rated high severity (CVSS 7.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

SSRF IBM Planning Analytics
NVD
CVSS 3.1
7.3
EPSS
0.6%
CVE-2020-27375 MEDIUM POC This Month

Dr Trust USA iCheck Connect BP Monitor BP Testing 118 version 1.2.1 is vulnerable to Transmitting Write Requests and Chars. Rated medium severity (CVSS 6.5), this vulnerability is no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

SSRF Icheck Connect Bp Monitor Bp Testing 118 Firmware
NVD VulDB
CVSS 3.1
6.5
EPSS
0.7%
CVE-2022-1213 PHP HIGH POC PATCH This Week

SSRF filter bypass port 80, 433 in GitHub repository livehelperchat/livehelperchat prior to 3.67v. Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available.

SSRF Live Helper Chat
NVD GitHub
CVSS 3.1
8.1
EPSS
0.6%
CVE-2022-1188 MEDIUM This Month

An issue has been discovered in GitLab CE/EE affecting all versions starting from 12.1 before 14.7.7, all versions starting from 14.8 before 14.8.5, all versions starting from 14.9 before 14.9.2. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

SSRF Gitlab
NVD
CVSS 3.1
5.3
EPSS
1.2%
CVE-2022-0990 CRITICAL POC PATCH Act Now

Server-Side Request Forgery (SSRF) in GitHub repository janeczku/calibre-web prior to 0.6.18. Rated critical severity (CVSS 9.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

SSRF Calibre Web
NVD GitHub
CVSS 3.1
9.1
EPSS
1.3%
CVE-2022-0939 CRITICAL POC PATCH Act Now

Server-Side Request Forgery (SSRF) in GitHub repository janeczku/calibre-web prior to 0.6.18. Rated critical severity (CVSS 9.9), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

SSRF Calibre Web
NVD GitHub
CVSS 3.1
9.9
EPSS
1.0%
CVE-2022-0425 HIGH This Week

A DNS rebinding vulnerability in the Irker IRC Gateway integration in all versions of GitLab CE/EE since version 7.9 allows an attacker to trigger Server Side Request Forgery (SSRF) attacks. Rated high severity (CVSS 7.6), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

SSRF Gitlab
NVD
CVSS 3.1
7.6
EPSS
0.6%
CVE-2022-1191 HIGH POC PATCH This Week

SSRF on index.php/cobrowse/proxycss/ in GitHub repository livehelperchat/livehelperchat prior to 3.96. Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available.

PHP SSRF Live Helper Chat
NVD GitHub
CVSS 3.1
8.1
EPSS
0.9%
CVE-2022-27907 MEDIUM This Month

Sonatype Nexus Repository Manager 3.x before 3.38.0 allows SSRF. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

SSRF Nexus Repository Manager
NVD
CVSS 3.1
4.3
EPSS
0.7%
CVE-2022-24789 NuGet HIGH PATCH This Week

C1 CMS is an open-source, .NET based Content Management System (CMS). Rated high severity (CVSS 7.6), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Denial Of Service SSRF C1 Cms
NVD GitHub
CVSS 3.1
7.6
EPSS
0.7%
CVE-2022-0249 CRITICAL POC Act Now

A vulnerability was discovered in GitLab starting with version 12. Rated critical severity (CVSS 9.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

SSRF Gitlab
NVD
CVSS 3.1
9.1
EPSS
1.1%
CVE-2022-0136 HIGH This Week

A vulnerability was discovered in GitLab versions 10.5 to 14.5.4, 14.6 to 14.6.4, and 14.7 to 14.7.1. Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

SSRF Gitlab
NVD
CVSS 3.1
8.1
EPSS
0.8%
CVE-2022-0591 CRITICAL POC THREAT Act Now

The FormCraft WordPress plugin before 3.8.28 does not validate the URL parameter in the formcraft3_get AJAX action, leading to SSRF issues exploitable by unauthenticated users. Rated critical severity (CVSS 9.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

SSRF WordPress Formcraft3
NVD WPScan
CVSS 3.1
9.1
EPSS
20.2%
CVE-2022-27245 HIGH PATCH This Week

An issue was discovered in MISP before 2.4.156. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Server-Side Request Forgery (SSRF) vulnerability could allow attackers to make the server perform requests to unintended internal or external resources.

SSRF PHP Misp
NVD GitHub VulDB
CVSS 3.1
8.8
EPSS
0.9%
CVE-2022-27201 Maven MEDIUM PATCH This Month

Jenkins Semantic Versioning Plugin 1.13 and earlier does not restrict execution of an controller/agent message to agents, and implements no limitations about the file path that can be parsed,. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

SSRF Jenkins Semantic Versioning
NVD
CVSS 3.1
6.5
EPSS
1.3%
CVE-2022-0870 Go MEDIUM POC PATCH This Month

Server-Side Request Forgery (SSRF) in GitHub repository gogs/gogs prior to 0.12.5. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

SSRF Gogs
NVD GitHub
CVSS 3.1
5.3
EPSS
3.4%
CVE-2022-24739 PHP MEDIUM PATCH This Month

alltube is an html front end for youtube-dl. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Open Redirect vulnerability could allow attackers to redirect users to malicious websites via URL manipulation.

SSRF Open Redirect Alltube
NVD GitHub
CVSS 3.1
6.1
EPSS
0.9%
CVE-2022-0767 PyPI CRITICAL POC PATCH Act Now

Server-Side Request Forgery (SSRF) in GitHub repository janeczku/calibre-web prior to 0.6.17. Rated critical severity (CVSS 9.9), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

SSRF Calibre Web
NVD GitHub
CVSS 3.1
9.9
EPSS
1.0%
CVE-2022-0766 PyPI CRITICAL POC PATCH Act Now

Server-Side Request Forgery (SSRF) in GitHub repository janeczku/calibre-web prior to 0.6.17. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

SSRF Calibre Web
NVD GitHub
CVSS 3.1
9.8
EPSS
1.3%
CVE-2022-0528 npm HIGH POC PATCH This Week

Server-Side Request Forgery (SSRF) in GitHub repository transloadit/uppy prior to 3.3.1. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

SSRF Uppy
NVD GitHub
CVSS 3.1
7.5
EPSS
1.0%
CVE-2022-0768 PHP CRITICAL POC PATCH Act Now

Server-Side Request Forgery (SSRF) in GitHub repository rudloff/alltube prior to 3.0.2. Rated critical severity (CVSS 9.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

SSRF Alltube
NVD GitHub
CVSS 3.1
9.1
EPSS
1.6%
CVE-2022-25260 CRITICAL Act Now

JetBrains Hub before 2021.1.14276 was vulnerable to blind Server-Side Request Forgery (SSRF). Rated critical severity (CVSS 9.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

SSRF Hub
NVD
CVSS 3.1
9.1
EPSS
2.4%
CVE-2022-24333 MEDIUM This Month

In JetBrains TeamCity before 2021.2, blind SSRF via an XML-RPC call was possible. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

SSRF Teamcity
NVD
CVSS 3.1
6.5
EPSS
0.7%
CVE-2022-24980 PHP HIGH PATCH This Week

An issue was discovered in the Kitodo.Presentation (aka dif) extension before 2.3.2, 3.x before 3.2.3, and 3.3.x before 3.3.4 for TYPO3. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

SSRF Kitodo Presentation
NVD
CVSS 3.1
7.5
EPSS
1.2%
CVE-2022-21215 CRITICAL Act Now

This vulnerability could allow an attacker to force the server to create and execute a web request granting access to backend APIs that are only accessible to the Mimosa MMP server, or request pages. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

SSRF Mimosa Management Platform C6X Firmware C5X Firmware C5C Firmware +1
NVD
CVSS 3.1
9.8
EPSS
1.4%
CVE-2022-0671 Maven CRITICAL PATCH Act Now

A flaw was found in vscode-xml in versions prior to 0.19.0. Rated critical severity (CVSS 9.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

SSRF Vscode Xml
NVD GitHub
CVSS 3.1
9.1
EPSS
1.3%
EPSS 1% CVSS 9.1
CRITICAL PATCH Act Now

Best Practical RT for Incident Response (RTIR) before 4.0.3 and 5.x before 5.0.3 allows SSRF via the whois lookup tool. Rated critical severity (CVSS 9.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Server-Side Request Forgery (SSRF) vulnerability could allow attackers to make the server perform requests to unintended internal or external resources.

SSRF Request Tracker For Incident Response
NVD
EPSS 1% CVSS 7.5
HIGH This Week

The vCenter Server contains a server-side request forgery (SSRF) vulnerability. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

VMware SSRF Cloud Foundation +1
NVD
EPSS 2% CVSS 7.5
HIGH POC PATCH This Week

With this SSRF vulnerability, an attacker can reach internal addresses to make a request as the server and read it's contents. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

SSRF Nocodb
NVD GitHub
EPSS 4% CVSS 9.8
CRITICAL Act Now

Apache Jetspeed-2 does not sufficiently filter untrusted user input by default leading to a number of issues including XSS, CSRF, XXE, and SSRF. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

SSRF XSS CSRF +3
NVD
EPSS 0% CVSS 5.5
MEDIUM POC PATCH This Month

The package link-preview-js before 2.1.16 are vulnerable to Server-side Request Forgery (SSRF) which allows attackers to send arbitrary requests to the local network and read the response. Rated medium severity (CVSS 5.5), this vulnerability is low attack complexity. Public exploit code available.

SSRF Link Preview Js
NVD GitHub
EPSS 71% CVSS 6.5
MEDIUM This Month

A vulnerability in Mobile Plugin for Jira Data Center and Server allows a remote, authenticated user (including a user who joined via the sign-up feature) to perform a full read server-side request. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

SSRF Atlassian Jira Data Center +3
NVD
EPSS 1% CVSS 5.3
MEDIUM POC PATCH This Month

Server-Side Request Forgery (SSRF) in GitHub repository dompdf/dompdf prior to 2.0.0. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

SSRF Dompdf
NVD GitHub
EPSS 16% CVSS 9.8
CRITICAL POC THREAT Act Now

Halo CMS v1.5.3 was discovered to contain a Server-Side Request Forgery (SSRF) via the template remote download function. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

SSRF Halo
NVD GitHub
EPSS 2% CVSS 9.8
CRITICAL POC PATCH Act Now

Server-Side Request Forgery (SSRF) in GitHub repository ionicabizau/parse-url prior to 7.0.0. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

SSRF Parse Url
NVD GitHub
EPSS 1% CVSS 7.2
HIGH POC This Week

The Import Export All WordPress Images, Users & Post Types WordPress plugin before 6.5.3 does not fully validate the file to be imported via an URL before making an HTTP request to it, which could. Rated high severity (CVSS 7.2), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

SSRF WordPress Import All Pages Post Types Products Orders And Users As Xml Csv
NVD WPScan
EPSS 1% CVSS 9.8
CRITICAL Act Now

SysAid - Okta SSO integration - was found vulnerable to XML External Entity Injection vulnerability. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

SSRF XXE Okta Sso
NVD
EPSS 1% CVSS 4.3
MEDIUM POC This Month

OneBlog v2.3.4 was discovered to contain a Server-Side Request Forgery (SSRF) vulnerability via the Logo parameter under the Link module. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

SSRF Oneblog
NVD
EPSS 1% CVSS 4.3
MEDIUM POC This Month

OneBlog v2.3.4 was discovered to contain a Server-Side Request Forgery (SSRF) vulnerability via the parameter entryUrls. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

SSRF Oneblog
NVD
EPSS 1% CVSS 5.0
MEDIUM POC PATCH This Month

In directus versions v9.0.0-beta.2 through 9.6.0 are vulnerable to server-side request forgery (SSRF) in the media upload functionality which allows a low privileged user to perform internal network. Rated medium severity (CVSS 5.0), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available.

SSRF Directus
NVD GitHub
EPSS 1% CVSS 6.5
MEDIUM POC PATCH This Month

In Recipes, versions 0.9.1 through 1.2.5 are vulnerable to Server Side Request Forgery (SSRF), in the “Import Recipe” functionality. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available.

SSRF Recipes
NVD GitHub
EPSS 1% CVSS 4.3
MEDIUM This Month

SAP NetWeaver, ABAP Platform and SAP Host Agent - versions KERNEL 7.22, 7.49, 7.53, 7.77, 7.81, 7.85, 7.86, 7.87, 7.88, 8.04, KRNL64NUC 7.22, 7.22EXT, 7.49, KRNL64UC 7.22, 7.22EXT, 7.49, 7.53, 8.04,. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

SSRF SAP Host Agent +1
NVD
EPSS 1% CVSS 6.5
MEDIUM This Month

Some part of SAP NetWeaver (EP Web Page Composer) does not sufficiently validate an XML document accepted from an untrusted source, which allows an adversary to exploit unprotected XML parking at. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

SSRF SAP Netweaver
NVD
EPSS 2% CVSS 6.1
MEDIUM PATCH This Month

bypass CVE-2021-25640 > In Apache Dubbo prior to 2.6.12 and 2.7.15, the usage of parseURL method will lead to the bypass of the white host check which can cause open redirect or SSRF vulnerability. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

SSRF Apache Open Redirect +1
NVD
EPSS 15% CVSS 9.1
CRITICAL POC THREAT Act Now

Kity Minder v1.3.5 was discovered to contain a Server-Side Request Forgery (SSRF) via the init function at ImageCapture.class.php. Rated critical severity (CVSS 9.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

PHP SSRF Kity Minder
NVD GitHub
EPSS 20% CVSS 9.1
CRITICAL POC THREAT Act Now

MonstaFTP v2.10.3 was discovered to contain a Server-Side Request Forgery (SSRF) via the function performFetchRequest at HTTPFetcher.php. Rated critical severity (CVSS 9.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

PHP SSRF Monstaftp
NVD GitHub
EPSS 1% CVSS 9.1
CRITICAL POC Act Now

Jizhicms v2.2.5 was discovered to contain a Server-Side Request Forgery (SSRF) vulnerability via the Index function in app/admin/c/PluginsController.php. Rated critical severity (CVSS 9.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

PHP SSRF Jizhicms
NVD GitHub
EPSS 1% CVSS 9.1
CRITICAL POC Act Now

Jizhicms v2.2.5 was discovered to contain a Server-Side Request Forgery (SSRF) vulnerability via the Update function in app/admin/c/TemplateController.php. Rated critical severity (CVSS 9.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

PHP SSRF Jizhicms
NVD GitHub
EPSS 1% CVSS 9.1
CRITICAL POC Act Now

A Server-Side Request Forgery (SSRF) in the getFileBinary function of nbnbk cms 3 allows attackers to force the application to make arbitrary requests via injection of arbitrary URLs into the URL. Rated critical severity (CVSS 9.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

SSRF Nbnbk
NVD GitHub
EPSS 1% CVSS 7.5
HIGH POC PATCH This Week

Jodd HTTP v6.0.9 was discovered to contain multiple CLRF injection vulnerabilities via the components jodd.http.HttpRequest#set and `jodd.http.HttpRequest#send. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

SSRF Jodd Http
NVD GitHub
EPSS 1% CVSS 6.5
MEDIUM POC PATCH This Month

Server-Side Request Forgery (SSRF) in GitHub repository gogs/gogs prior to 0.12.8. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

SSRF Gogs
NVD GitHub
EPSS 1% CVSS 7.5
HIGH POC This Week

mysiteforme v2.2.1 was discovered to contain a Server-Side Request Forgery. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

SSRF Mysiteforme
NVD GitHub
EPSS 2% CVSS 7.5
HIGH POC This Week

CSZCMS v1.3.0 allows attackers to execute a Server-Side Request Forgery (SSRF) which can be leveraged to leak sensitive data via a local file inclusion at /admin/filemanager/connector/. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

SSRF Information Disclosure Cszcms
NVD
EPSS 1% CVSS 6.5
MEDIUM PATCH This Month

Smokescreen is an HTTP proxy. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Server-Side Request Forgery (SSRF) vulnerability could allow attackers to make the server perform requests to unintended internal or external resources.

SSRF Smokescreen
NVD GitHub
EPSS 2% CVSS 7.5
HIGH POC PATCH This Week

Server-Side Request Forgery (SSRF) in GitHub repository jgraph/drawio prior to 18.0.8. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

SSRF Drawio
NVD GitHub
EPSS 2% CVSS 7.5
HIGH POC PATCH This Week

Server-Side Request Forgery (SSRF) in GitHub repository jgraph/drawio prior to 18.0.7. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

SSRF Drawio
NVD GitHub
EPSS 1% CVSS 9.8
CRITICAL PATCH Act Now

A remote server-side request forgery (ssrf) vulnerability was discovered in HPE OneView version(s): Prior to 7.0. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

SSRF Oneview
NVD
EPSS 10% CVSS 7.5
HIGH POC PATCH THREAT This Week

FlyteConsole is the web user interface for the Flyte platform. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Server-Side Request Forgery (SSRF) vulnerability could allow attackers to make the server perform requests to unintended internal or external resources.

SSRF Flyte Console
NVD GitHub
EPSS 1% CVSS 8.8
HIGH This Week

A cross-site request forgery (CSRF) vulnerability in Jenkins Storable Configs Plugin 1.0 and earlier allows attackers to have Jenkins parse a local XML file (e.g., archived artifacts) that uses. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

SSRF CSRF Jenkins +1
NVD
EPSS 6% CVSS 7.5
HIGH POC PATCH This Week

Server-Side Request Forgery (SSRF) in GitHub repository jgraph/drawio prior to 18.0.5. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

SSRF Drawio
NVD GitHub
EPSS 2% CVSS 7.5
HIGH POC PATCH This Week

Server-Side Request Forgery (SSRF) in GitHub repository jgraph/drawio prior to 18.0.6. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

SSRF Drawio
NVD GitHub
EPSS 1% CVSS 4.9
MEDIUM This Month

A remote authenticated server-side request forgery (ssrf) vulnerability was discovered in Aruba ClearPass Policy Manager version(s): 6.10.4 and below, 6.9.9 and below, 6.8.9-HF2 and below, 6.7.x and. Rated medium severity (CVSS 4.9), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

SSRF Aruba Clearpass Policy Manager
NVD
EPSS 1% CVSS 3.3
LOW POC PATCH Monitor

SSRF in editor's proxy via IPv6 link-local address in GitHub repository jgraph/drawio prior to 18.0.5. Rated low severity (CVSS 3.3), this vulnerability is low attack complexity. Public exploit code available.

SSRF Drawio
NVD GitHub
EPSS 9% CVSS 7.5
HIGH POC PATCH This Week

SSRF on /proxy in GitHub repository jgraph/drawio prior to 18.0.4. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

SSRF Drawio
NVD GitHub
EPSS 3% CVSS 6.5
MEDIUM POC This Month

The External Media without Import WordPress plugin through 1.1.2 does not have any authorisation and does to ensure that medias added via URLs are external medias, which could allow any authenticated. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

SSRF WordPress External Media Without Import
NVD WPScan
EPSS 72% CVSS 9.8
CRITICAL POC PATCH THREAT Act Now

The Fusion Builder WordPress plugin before 3.6.2, used in the Avada theme, does not validate a parameter in its forms which could be used to initiate arbitrary HTTP requests. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

SSRF WordPress Fusion Builder +1
NVD WPScan
EPSS 1% CVSS 7.5
HIGH POC This Week

A Server-Side Request Forgery (SSRF) in Rebuild v2.8.3 allows attackers to obtain the real IP address and scan Intranet information via the fileurl parameter. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

SSRF Rebuild
NVD GitHub
EPSS 2% CVSS 9.1
CRITICAL POC PATCH Act Now

URL Restriction Bypass in GitHub repository plantuml/plantuml prior to V1.2022.5. Rated critical severity (CVSS 9.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

SSRF Plantuml Fedora
NVD GitHub
EPSS 2% CVSS 8.1
HIGH This Week

A Server-Side Request Forgery (SSRF) vulnerability exists in MicroStrategy Web SDK 11.1 and earlier, allows remote unauthenticated attackers to conduct a server-side request forgery (SSRF) attack via. Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

SSRF Microstrategy Web
NVD VulDB
EPSS 4% CVSS 6.5
MEDIUM POC This Month

In Progress Ipswitch WhatsUp Gold 17.0.0 through 21.1.1, and 22.0.0, it is possible for an authenticated user to invoke an API transaction that would allow them to read sensitive operating-system. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

SSRF Whatsup Gold
NVD GitHub
EPSS 56% CVSS 7.5
HIGH POC THREAT This Week

In Progress Ipswitch WhatsUp Gold 21.0.0 through 21.1.1, and 22.0.0, it is possible for an unauthenticated attacker to invoke an API transaction that would allow them to relay encrypted WhatsUp Gold. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

SSRF Whatsup Gold
NVD GitHub
EPSS 1% CVSS 9.8
CRITICAL PATCH Act Now

A vulnerability in which attackers could forge HTTP requests to manipulate the `charm` data directory to access or delete anything on the server. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Server-Side Request Forgery (SSRF) vulnerability could allow attackers to make the server perform requests to unintended internal or external resources.

SSRF Docker Charm
NVD GitHub
EPSS 1% CVSS 8.2
HIGH POC PATCH This Week

Server-Side Request Forgery in scout in GitHub repository clinical-genomics/scout prior to v4.42. Rated high severity (CVSS 8.2), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

SSRF XSS Scout
NVD GitHub
EPSS 1% CVSS 6.5
MEDIUM This Month

Talend Administration Center has a vulnerability that allows an authenticated user to use the Service Registry 'Add' functionality to perform SSRF HTTP GET requests on URLs in the internal network. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

SSRF Administration Center
NVD
EPSS 1% CVSS 6.5
MEDIUM POC This Month

Jspxcms v10.2.0 allows attackers to execute a Server-Side Request Forgery (SSRF) via /cmscp/ext/collect/fetch_url.do?url=. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

SSRF Jspxcms
NVD
EPSS 1% CVSS 8.8
HIGH POC This Week

The HubSpot WordPress plugin before 8.8.15 does not validate the proxy URL given to the proxy REST endpoint, which could allow users with the edit_posts capability (by default contributor and above). Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

SSRF WordPress Hubspot
NVD WPScan
EPSS 1% CVSS 7.5
HIGH POC PATCH This Week

The package github.com/hoppscotch/proxyscotch before 1.0.0 are vulnerable to Server-side Request Forgery (SSRF) when interceptor mode is set to proxy. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

SSRF Proxyscotch
NVD GitHub
EPSS 2% CVSS 9.8
CRITICAL Act Now

Solar appScreener through 3.10.4, when a valid license is not present, allows XXE and SSRF attacks via a crafted XML document. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

SSRF XXE Solar Appscreener
NVD GitHub
EPSS 1% CVSS 9.8
CRITICAL Act Now

The iot-manager microservice 1.0.0 in Northern.tech Mender Enterprise before 3.2.2 allows SSRF because the Azure IoT Hub integration provides several SSRF primitives that can execute cross-tenant. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

SSRF Microsoft Mender
NVD
EPSS 22% CVSS 4.9
MEDIUM POC THREAT This Month

A Server-Side Request Forgery (SSRF) in feed_parser class of Navigate CMS v2.9.4 allows remote attackers to force the application to make arbitrary requests via injection of arbitrary URLs into the. Rated medium severity (CVSS 4.9), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

SSRF Navigate Cms
NVD Exploit-DB
EPSS 1% CVSS 9.8
CRITICAL POC Act Now

Monstaftp v2.10.3 was discovered to allow attackers to execute Server-Side Request Forgery (SSRF). Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

SSRF Monsta Ftp
NVD
EPSS 1% CVSS 9.8
CRITICAL POC Act Now

Jizhicms v1.9.5 was discovered to contain a Server-Side Request Forgery (SSRF) vulnerability via /admin.php/Plugins/update.html. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

PHP SSRF Jizhicms
NVD GitHub
EPSS 2% CVSS 9.8
CRITICAL PATCH Act Now

Gibbon v3.4.4 and below allows attackers to execute a Server-Side Request Forgery (SSRF) via a crafted URL. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

SSRF Gibbon
NVD GitHub
EPSS 1% CVSS 5.5
MEDIUM PATCH This Month

Shopware is an open commerce platform based on Symfony Framework and Vue. Rated medium severity (CVSS 5.5), this vulnerability is remotely exploitable, low attack complexity. This Server-Side Request Forgery (SSRF) vulnerability could allow attackers to make the server perform requests to unintended internal or external resources.

SSRF Shopware
NVD GitHub
EPSS 1% CVSS 7.7
HIGH POC This Week

Databasir is a team-oriented relational database model document management platform. Rated high severity (CVSS 7.7), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

SSRF Databasir
NVD GitHub
EPSS 1% CVSS 5.3
MEDIUM PATCH This Month

Smokescreen is a simple HTTP proxy that fogs over naughty URLs. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

SSRF Smokescreen
NVD GitHub
EPSS 9% CVSS 7.5
HIGH POC PATCH This Week

HashiCorp Consul and Consul Enterprise up to 1.9.16, 1.10.9, and 1.11.4 may allow server side request forgery when the Consul client agent follows redirects returned by HTTP health check endpoints. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

SSRF Hashicorp HashiCorp Consul +1
NVD
EPSS 1% CVSS 7.2
HIGH POC This Week

The EXMAGE WordPress plugin before 1.0.7 does to ensure that images added via URLs are external images, which could lead to a blind SSRF issue by using local URLs. Rated high severity (CVSS 7.2), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

SSRF WordPress Exmage
NVD WPScan
EPSS 1% CVSS 8.8
HIGH PATCH This Week

A Server-Side Request Forgery (SSRF) in Chamilo LMS v1.11.13 allows attackers to enumerate the internal network and execute arbitrary system commands via a crafted Phar file. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity.

SSRF Chamilo Lms
NVD
EPSS 8% CVSS 9.1
CRITICAL PATCH Act Now

An SSRF issue was discovered in Asterisk through 19.x. Rated critical severity (CVSS 9.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Server-Side Request Forgery (SSRF) vulnerability could allow attackers to make the server perform requests to unintended internal or external resources.

SSRF Asterisk Debian Linux
NVD
EPSS 1% CVSS 7.3
HIGH PATCH This Week

IBM Planning Analytics 2.0 is vulnerable to server-side request forgery (SSRF). Rated high severity (CVSS 7.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

SSRF IBM Planning Analytics
NVD
EPSS 1% CVSS 6.5
MEDIUM POC This Month

Dr Trust USA iCheck Connect BP Monitor BP Testing 118 version 1.2.1 is vulnerable to Transmitting Write Requests and Chars. Rated medium severity (CVSS 6.5), this vulnerability is no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

SSRF Icheck Connect Bp Monitor Bp Testing 118 Firmware
NVD VulDB
EPSS 1% CVSS 8.1
HIGH POC PATCH This Week

SSRF filter bypass port 80, 433 in GitHub repository livehelperchat/livehelperchat prior to 3.67v. Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available.

SSRF Live Helper Chat
NVD GitHub
EPSS 1% CVSS 5.3
MEDIUM This Month

An issue has been discovered in GitLab CE/EE affecting all versions starting from 12.1 before 14.7.7, all versions starting from 14.8 before 14.8.5, all versions starting from 14.9 before 14.9.2. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

SSRF Gitlab
NVD
EPSS 1% CVSS 9.1
CRITICAL POC PATCH Act Now

Server-Side Request Forgery (SSRF) in GitHub repository janeczku/calibre-web prior to 0.6.18. Rated critical severity (CVSS 9.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

SSRF Calibre Web
NVD GitHub
EPSS 1% CVSS 9.9
CRITICAL POC PATCH Act Now

Server-Side Request Forgery (SSRF) in GitHub repository janeczku/calibre-web prior to 0.6.18. Rated critical severity (CVSS 9.9), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

SSRF Calibre Web
NVD GitHub
EPSS 1% CVSS 7.6
HIGH This Week

A DNS rebinding vulnerability in the Irker IRC Gateway integration in all versions of GitLab CE/EE since version 7.9 allows an attacker to trigger Server Side Request Forgery (SSRF) attacks. Rated high severity (CVSS 7.6), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

SSRF Gitlab
NVD
EPSS 1% CVSS 8.1
HIGH POC PATCH This Week

SSRF on index.php/cobrowse/proxycss/ in GitHub repository livehelperchat/livehelperchat prior to 3.96. Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available.

PHP SSRF Live Helper Chat
NVD GitHub
EPSS 1% CVSS 4.3
MEDIUM This Month

Sonatype Nexus Repository Manager 3.x before 3.38.0 allows SSRF. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

SSRF Nexus Repository Manager
NVD
EPSS 1% CVSS 7.6
HIGH PATCH This Week

C1 CMS is an open-source, .NET based Content Management System (CMS). Rated high severity (CVSS 7.6), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Denial Of Service SSRF C1 Cms
NVD GitHub
EPSS 1% CVSS 9.1
CRITICAL POC Act Now

A vulnerability was discovered in GitLab starting with version 12. Rated critical severity (CVSS 9.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

SSRF Gitlab
NVD
EPSS 1% CVSS 8.1
HIGH This Week

A vulnerability was discovered in GitLab versions 10.5 to 14.5.4, 14.6 to 14.6.4, and 14.7 to 14.7.1. Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

SSRF Gitlab
NVD
EPSS 20% CVSS 9.1
CRITICAL POC THREAT Act Now

The FormCraft WordPress plugin before 3.8.28 does not validate the URL parameter in the formcraft3_get AJAX action, leading to SSRF issues exploitable by unauthenticated users. Rated critical severity (CVSS 9.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

SSRF WordPress Formcraft3
NVD WPScan
EPSS 1% CVSS 8.8
HIGH PATCH This Week

An issue was discovered in MISP before 2.4.156. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Server-Side Request Forgery (SSRF) vulnerability could allow attackers to make the server perform requests to unintended internal or external resources.

SSRF PHP Misp
NVD GitHub VulDB
EPSS 1% CVSS 6.5
MEDIUM PATCH This Month

Jenkins Semantic Versioning Plugin 1.13 and earlier does not restrict execution of an controller/agent message to agents, and implements no limitations about the file path that can be parsed,. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

SSRF Jenkins Semantic Versioning
NVD
EPSS 3% CVSS 5.3
MEDIUM POC PATCH This Month

Server-Side Request Forgery (SSRF) in GitHub repository gogs/gogs prior to 0.12.5. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

SSRF Gogs
NVD GitHub
EPSS 1% CVSS 6.1
MEDIUM PATCH This Month

alltube is an html front end for youtube-dl. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Open Redirect vulnerability could allow attackers to redirect users to malicious websites via URL manipulation.

SSRF Open Redirect Alltube
NVD GitHub
EPSS 1% CVSS 9.9
CRITICAL POC PATCH Act Now

Server-Side Request Forgery (SSRF) in GitHub repository janeczku/calibre-web prior to 0.6.17. Rated critical severity (CVSS 9.9), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

SSRF Calibre Web
NVD GitHub
EPSS 1% CVSS 9.8
CRITICAL POC PATCH Act Now

Server-Side Request Forgery (SSRF) in GitHub repository janeczku/calibre-web prior to 0.6.17. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

SSRF Calibre Web
NVD GitHub
EPSS 1% CVSS 7.5
HIGH POC PATCH This Week

Server-Side Request Forgery (SSRF) in GitHub repository transloadit/uppy prior to 3.3.1. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

SSRF Uppy
NVD GitHub
EPSS 2% CVSS 9.1
CRITICAL POC PATCH Act Now

Server-Side Request Forgery (SSRF) in GitHub repository rudloff/alltube prior to 3.0.2. Rated critical severity (CVSS 9.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

SSRF Alltube
NVD GitHub
EPSS 2% CVSS 9.1
CRITICAL Act Now

JetBrains Hub before 2021.1.14276 was vulnerable to blind Server-Side Request Forgery (SSRF). Rated critical severity (CVSS 9.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

SSRF Hub
NVD
EPSS 1% CVSS 6.5
MEDIUM This Month

In JetBrains TeamCity before 2021.2, blind SSRF via an XML-RPC call was possible. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

SSRF Teamcity
NVD
EPSS 1% CVSS 7.5
HIGH PATCH This Week

An issue was discovered in the Kitodo.Presentation (aka dif) extension before 2.3.2, 3.x before 3.2.3, and 3.3.x before 3.3.4 for TYPO3. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

SSRF Kitodo Presentation
NVD
EPSS 1% CVSS 9.8
CRITICAL Act Now

This vulnerability could allow an attacker to force the server to create and execute a web request granting access to backend APIs that are only accessible to the Mimosa MMP server, or request pages. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

SSRF Mimosa Management Platform C6X Firmware +3
NVD
EPSS 1% CVSS 9.1
CRITICAL PATCH Act Now

A flaw was found in vscode-xml in versions prior to 0.19.0. Rated critical severity (CVSS 9.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

SSRF Vscode Xml
NVD GitHub
Prev Page 26 of 32 Next

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy