SSRF
Monthly
Server-side request forgery in the Open Health Imaging Foundation (OHIF) DICOM Web Viewer Framework lets an attacker exfiltrate an authenticated user's OIDC Bearer token by abusing the default-enabled DICOMWebProxy and DICOMJSON data sources, which fetch an attacker-supplied URL without validation while OHIF's global auth service silently attaches the victim's token to the outbound request. Any authenticated user lured into loading a malicious viewer link sends their live credential to an attacker-controlled host, enabling identity takeover against the PACS or backend. No public exploit identified at time of analysis and the issue is not on CISA KEV, but the high-impact token leakage and default-configuration exposure make it a meaningful credential-theft risk.
Privilege escalation via broken authorization in Netflix Lemur (versions <= 1.9.0) lets any authenticated user - including the shipped lowest-privilege `read-only` role - perform admin-only certificate-management actions. Because the `StrictRolePermission` and `AuthorityCreatorPermission` classes were instantiated with an empty Need set when their config flags were left at the default `False`, Flask-Principal's `allows()` returns True for every identity, removing the only role gate in front of CA creation, certificate upload, notification (SSRF sink) management, and domain registry edits. No public exploit identified at time of analysis and the issue is not in CISA KEV, but exploitation requires only a single low-privilege credential, making it a direct pivot to control of the PKI issuance plane.
Server-side request forgery in MaxKB before 2.10.0 allows any authenticated user holding the default workspace USER role to coerce the application server into making arbitrary HTTP requests to attacker-controlled destinations via the `downloadCallbackUrl` and `download_url` parameters on ToolSerializer endpoints. An attacker can pivot through the MaxKB host to probe and extract data from internal network services - cloud metadata APIs, internal databases, adjacent microservices - that would otherwise be inaccessible from outside the network perimeter. A public proof-of-concept exists at GitHub issue #6272; this is not confirmed actively exploited (not in CISA KEV).
Server-side request forgery in NewsBlur's add_url endpoint allows any authenticated user to direct the server to issue arbitrary HTTP requests to private, loopback, or link-local addresses, including cloud instance metadata services. All NewsBlur deployments prior to version 14.5.0 (CPE: cpe:2.3:a:samuelclay:newsblur) are affected. An attacker with a valid account can supply a URL resolving to 169.254.169.254 or other internal addresses, enabling exfiltration of cloud provider IAM credentials and internal network reconnaissance. No public exploit identified at time of analysis, though patch commits are publicly available on GitHub and document the exact missing validation check.
Server-side request forgery in Huly Platform's /import endpoint allows authenticated workspace users to coerce the front pod into making arbitrary HTTP requests to internal infrastructure. Any valid workspace account can supply attacker-controlled URLs; the server fetches them, leaking internal service responses - including cloud metadata credentials - back to the attacker. A publicly available exploit exists per the GitHub issue tracker, though active exploitation has not been confirmed by CISA KEV. The CVSS 4.0 vector assigns SC:H, flagging high confidentiality impact on subsequent (internal) systems as the primary risk.
Server-side request forgery in ToolJet's RestAPI data source (versions prior to 3.20.178-lts) allows a low-privileged platform user to reach internal network endpoints because the private-IP filter validates only the hostname string rather than the resolved IP. By supplying a DNS name such as 169.254.169.254.nip.io, an attacker bypasses the filter and forces the server to query the Azure IMDS link-local endpoint, enabling theft of managed-identity tokens for the backing AKS production cluster. No public exploit identified at time of analysis and the issue is not in CISA KEV, but the cloud-credential impact makes it a high-value SSRF.
Server-side request forgery in LibreChat before 0.8.4-rc1 lets any authenticated user point a custom OpenAI-compatible endpoint baseURL at internal network addresses, because the URL is used to build HTTP requests with no SSRF validation whatsoever - no private-IP blocking, no scheme restriction, and no DNS pinning. By abusing the legitimate custom-endpoint feature, a logged-in user can coerce the server into reaching internal-only services and returning their responses, with a CVSS 3.1 score of 7.7 driven by a changed scope and high confidentiality impact. There is no public exploit identified at time of analysis and the issue is not in CISA KEV, but the trivial low-complexity nature makes it readily exploitable once an account exists.
NONET network restriction bypass in Nokogiri's JRuby implementation permits external resource fetching during XML Schema parsing despite the default network-blocking parse option being set, exposing applications to potential SSRF and XXE attacks. Only JRuby-based deployments are affected - CRuby users are fully protected because libxml2's xmlNoNetExternalEntityLoader enforces NONET at the I/O layer independently of Nokogiri's option handling. Rated low severity by maintainers (CVSS 2.6); vendor-released patch is available in version 1.19.4, and no public exploit has been identified at time of analysis.
HTML injection into server-side PDF rendering contexts in Pretix enables low-privileged authenticated users to embed external image references that trigger outbound HTTP requests from the rendering engine, leaking the server's network identity and creating an SSRF vector against internal network services. The CVSS 4.0 score of 2.1 reflects genuinely low severity - exploitation requires authentication, specific content reaching PDF rendering paths, and passive user interaction to trigger PDF generation. No public exploit code exists and this vulnerability is absent from CISA KEV.
Reverse-proxy takeover in Appsmith versions prior to 2.1 lets an authenticated low-privileged user abuse server-side request forgery to reach the bundled Caddy admin API, which ships with no authentication and listens on 0.0.0.0:2019 inside the container. By forcing the Appsmith server to issue a POST /load to that internal endpoint, the attacker rewrites the live Caddy configuration and seizes control of the reverse proxy that fronts the application. No public exploit identified at time of analysis and the issue is not in CISA KEV, but the vendor-confirmed CWE-749 exposure carries a 9.9 CVSS rating.
Server-side request forgery in Appsmith prior to version 2.1 allows authenticated users to reach loopback-bound services inside the deployment container by exploiting a split code path in host validation logic. The WebClientUtils component used by REST API and GraphQL datasource plugins enforces only an exact-match string denylist, while the comprehensive address-class check covering loopback, any-local, link-local, and fc00::/7 IPv6 ranges exists solely on the SMTP plugin code path - leaving the HTTP path bypassable. No public exploit code has been identified at time of analysis, and this CVE does not appear in the CISA KEV catalog.
Server-Side Request Forgery in Mastodon before 4.5.10, 4.4.17, and 4.3.23 lets attackers coerce the server into issuing HTTP requests to loopback interfaces, reaching private resources and internal services that should be unreachable from the public internet. The flaw stems from an incomplete IP-range blocklist that omitted a range capable of resolving to local addresses. No public exploit identified at time of analysis; the upstream advisory (GHSA-crr4-7rm4-8gpw) accompanies the fixed releases.
Server-side request forgery in Ghost CMS versions 6.19.4 through 6.21.1 allows authenticated staff users to pivot the Ghost server into making arbitrary outbound HTTP requests, including to internal network hosts and cloud instance metadata endpoints. The vulnerable code path is Ghost's post re-rendering pipeline, which fetches image dimensions from URLs stored in image cards without validating those URLs against a trusted host allowlist. No public exploit has been identified at time of analysis, and a vendor-released patch is available in 6.21.1.
Full unauthenticated administrative takeover of Payara Server Full (4.x through 7.2026.x, including 6.2024.x and 6.2025.x) is achievable by chaining a Server-Side Request Forgery in the Admin GUI's DownloadServlet with the absence of CSRF protection (CWE-352). An attacker who lures a logged-in administrator into a crafted request exfiltrates the admin REST session token (gfresttoken) to an attacker-controlled host, then replays it for full domain control and arbitrary code execution via WAR deployment. The CVSS 4.0 vector carries E:P (proof-of-concept maturity), so publicly available exploit code exists; there is no CISA KEV listing and no EPSS score in the provided data.
XML external entity (XXE) injection in the Jenkins Assembla Plugin version 1.4 and earlier lets an attacker who can control the HTTP responses of the configured Assembla server read sensitive files and secrets from the Jenkins controller and pivot into internal services via server-side request forgery. Mapped to CWE-918 (SSRF) with a CVSS 3.1 base score of 7.1 (high), there is no public exploit identified at time of analysis and CISA SSVC rates exploitation as 'none' with only partial technical impact. Exploitation requires the attacker to influence what the Assembla endpoint returns, so it is a targeted rather than mass-exploitable condition.
Server-Side Request Forgery in Pentestify 1.0.0's PDF generation endpoint enables remote attackers (PR:N per CVSS 4.0 vector) to coerce the server into issuing outbound HTTP requests to arbitrary internal or external targets, including cloud metadata services such as the AWS Instance Metadata Service at 169.254.169.254, by supplying a crafted HTTP Host header. The rendered PDF is returned to the caller, potentially leaking internal service responses or IAM role credentials. No public exploit code has been identified and no CISA KEV listing exists at time of analysis; the vulnerability is patched in version 1.1.0.
Server-side request forgery in the Kargo Takip WordPress plugin (versions through 1.2) allows unauthenticated remote attackers to coerce the site into issuing arbitrary HTTP requests via the 'api_url' parameter and to exfiltrate data from internal services. Because the plugin echoes the value of any 'auth' key from the JSON response back to the attacker, it enables direct retrieval of sensitive responses such as cloud instance metadata credentials. No public exploit identified at time of analysis, and the plugin is not listed in CISA KEV.
Server-Side Request Forgery in the WP Meta SEO WordPress plugin (all versions through 4.5.18) enables authenticated contributors to coerce the web server into issuing arbitrary outbound HTTP requests via the `new_link` parameter, with the response status code reflected back through the AJAX JSON response as `status_code`. This status-code oracle allows methodical enumeration of internal network hosts and cloud metadata services (e.g., AWS IMDSv1 at 169.254.169.254), making it particularly dangerous in cloud-hosted WordPress deployments. No public exploit identified at time of analysis, though the vulnerability is confirmed by Wordfence with direct source code references and the technique is well-understood.
Server-Side Request Forgery in the WordPress URL Preview plugin (all versions through 1.0) allows unauthenticated attackers to coerce the WordPress server into making arbitrary outbound HTTP requests via the 'url' parameter. The flaw, reported by Wordfence and tracked as CWE-918, enables querying or modifying data on internal services reachable from the WordPress host, including cloud metadata endpoints and internal admin panels. No public exploit identified at time of analysis, but the vulnerability is trivially exploitable given AV:N/AC:L/PR:N/UI:N.
Eager DNS resolution during InetSocketAddress deserialization in jackson-databind (versions 2.0.0 through pre-fix releases across the 2.18, 2.21, and 3.x lines) allows any attacker who can supply untrusted JSON to an affected endpoint to force outbound DNS lookups for attacker-chosen hostnames at readValue() time - before application validation or connect logic can intervene. This DNS-based SSRF (CWE-918) enables internal resolver probing, network topology enumeration, and DNS out-of-band interaction signals against applications that deserialize untrusted JSON into types containing InetSocketAddress fields. No public exploit code and no CISA KEV listing have been identified at time of analysis; EPSS data was not available in the provided intelligence sources.
Unauthenticated remote action execution in motionEye (pip/motioneye < 0.44.0) exposes every camera action endpoint - snapshots, recording start/stop, and administrator-configured shell scripts - to any attacker who can reach port 8765, due to a missing @BaseHandler.auth() decorator on ActionHandler.post(). Dynamically confirmed on v0.43.1 in a Docker lab environment; exploitation requires only a single HTTP POST with no credentials, headers, or user interaction. Beyond the CVSS 5.3 Medium rating, real-world impact extends to physical security bypass (PTZ, alarms, lighting controls) if action scripts are configured, and SSRF via remote camera triggering - no public exploit or CISA KEV listing is identified at time of analysis.
Server-side request forgery in Gogs versions prior to 0.14.3 allows authenticated users to bypass the migration URL blocklist by submitting a public clone URL that HTTP-redirects to internal endpoints such as 127.0.0.1, causing git clone --mirror to fetch internal repositories and import their contents into an attacker-controlled repo. Affected installations leak source code and secrets from any HTTP-reachable internal Git endpoint, and the migration job doubles as an internal network scanner. No public exploit identified at time of analysis, though the advisory contains full reproduction steps.
Server-side request forgery in OpenStack Swift's proxy-server allows authenticated users to manipulate object servers into issuing outbound HTTP requests to attacker-specified hosts. All Swift deployments running version 2.0.0 or later across all maintained release trains are affected, including the 2025.1/epoxy, 2025.2/flamingo, 2026.1/gazpacho, and development 2026.2/hibiscus branches. No public exploit has been identified at time of analysis, but successful exploitation could expose internal infrastructure topology, metadata services, or other resources reachable from the object server tier.
Server-side request forgery in Flowise's Execute Flow node allows authenticated low-privilege users to coerce the server into issuing HTTP requests to arbitrary internal network addresses by supplying intranet URLs through the base URL configuration field. All flowise and flowise-components npm versions through 3.0.13 are affected due to the Execute Flow code path never invoking the secureFetch wrapper present in httpSecurity.ts. Publicly available exploit code exists in GHSA-9hrv-gvrv-6gf2, including a concrete POST request demonstrating server-side retrieval and echo of internal service responses; no CISA KEV listing indicates active mass exploitation at time of analysis.
Local repository import and blind SSRF in Gogs versions prior to 0.14.3 allows authenticated users to bypass clone-address validation via the Mirror Settings feature. The SaveAddress path in repository Mirror Settings omitted the validation applied to New Migration, letting any authenticated user point a mirror at a local filesystem path or internal address. No public exploit identified at time of analysis beyond the reporter's PoC; not listed in CISA KEV.
Server-side request forgery in Budibase (@budibase/backend-core before 3.39.9) lets authenticated users with automation permissions bypass the SSRF blacklist via DNS rebinding, reaching loopback, RFC1918, and cloud metadata endpoints from the Budibase host. The outbound fetch helper validates a hostname's resolved IP against the blacklist but never pins that IP to the subsequent socket, so node-fetch performs a second DNS lookup that can resolve to an internal address. Because several automation steps return upstream response bodies into automation output, the result is a non-blind read primitive; publicly available exploit code (a rebinding PoC) exists, though EPSS is low (0.24%, 15th percentile) and it is not on CISA KEV.
Server-side request forgery in Gogs (self-hosted Git service) versions ≤ 0.14.2 lets a user who can configure a webhook reach internal-only network addresses by abusing HTTP redirect following. The original CVE-2022-1285 fix only blocked webhook URLs whose hostname resolves into local CIDRs, but the delivery client still chased 3xx redirects, so a webhook pointed at an attacker-controlled host that returns a 301 to http://169.254.169.254/ pivots into cloud metadata and other internal services. Publicly available exploit code exists (a working PoC against try.gogs is documented, dumping DigitalOcean droplet metadata); it is not listed in CISA KEV and no public EPSS figure is provided.
Server-Side Request Forgery (SSRF) in n8n's dynamic node parameters endpoint allows authenticated users with credential access to bypass the platform's Allowed HTTP Request Domains restriction, causing the n8n server to issue outbound HTTP requests carrying stored credentials to attacker-controlled or unauthorized hosts. All n8n deployments prior to version 2.20.0 are affected regardless of domain restriction configuration, as the restriction is not enforced on the POST /rest/dynamic-node-parameters/options endpoint. No public exploit code or CISA KEV listing has been identified at time of analysis, but the attack is low-complexity once authentication is obtained.
Server-side request forgery in Crawl4AI before 0.8.7 allows unauthenticated remote attackers to coerce the server into fetching arbitrary internal URLs via the /crawl, /crawl/stream, /md, and /llm endpoints. The product's internal-address blocklist can be bypassed using IPv6-mapped IPv4 notation (e.g., ::ffff:169.254.169.254), exposing cloud metadata services and internal infrastructure. No public exploit identified at time of analysis, but the GHSA advisory and a VulnCheck write-up document the flaw in detail.
Blind Server-Side Request Forgery in Paymenter's PayPal gateway module (versions < 1.5.0) allows remote unauthenticated attackers to coerce the application server into issuing arbitrary HTTP GET requests by supplying a malicious URL in the PAYPAL-CERT-URL HTTP header. The webhook endpoint at /extensions/paypal/webhook passes this header directly to PHP's file_get_contents() with no allowlist, domain validation, or signature pre-check, violating the security intent of PayPal's certificate verification flow. No public exploit has been identified at time of analysis, but the zero-prerequisite attack surface and public advisory disclosure make this an accessible target for any unauthenticated actor who can reach the endpoint.
Server-Side Request Forgery in OpenAM's /sessionservice endpoint allows authenticated attackers to register arbitrary URLs for session event notifications, causing the IAM server to make outbound HTTP requests to attacker-controlled destinations. Affected versions are org.openidentityplatform.openam:openam-core up to and including 16.0.6; the flaw was patched in release 16.1.1. No public exploit code or CISA KEV listing has been identified at time of analysis, but the authentication barrier is low (any valid session), and deployment context - a central enterprise authentication gateway - elevates the downstream risk of internal network reconnaissance or session data exfiltration.
Server-side request forgery in phpseclib's X.509 validation allows unauthenticated network attackers to force the validating server to open arbitrary outbound connections to attacker-controlled hosts, including internal loopback addresses (127.0.0.1) and cloud metadata endpoints (169.254.169.254). The flaw exists because X509::validateSignature() unconditionally fetches URLs embedded in the Authority Information Access extension of untrusted certificates with no blocklist or destination filtering - and this behavior is enabled by default across all three maintained release branches. No CISA KEV listing exists at time of analysis, and no weaponized public exploit was referenced, though the GitHub advisory provides exact file and line references making the trigger path immediately reproducible.
Server-Side Request Forgery in IBM Watson Speech Services Cartridge (versions 4.0.0 through 5.3.1) lets an authenticated attacker coerce the system into issuing crafted requests to internal or external hosts, enabling internal network enumeration and pivoting toward follow-on attacks. The weakness lives in the embedded IBM Sterling File Gateway component used by the speech runtimes (GHSA-rr7j-v2q5-chgv). No public exploit identified at time of analysis; EPSS is low (0.18%, 8th percentile) and CISA SSVC marks exploitation as none, so this is a patch-priority issue rather than an emergency.
Server-side request forgery in IBM WebSphere Application Server 8.5 and 9.0 allows remote unauthenticated attackers to coerce the server into issuing arbitrary outbound requests when the Ajax Proxy is configured, enabling security bypass and information disclosure. IBM has released fixes and no public exploit is identified at time of analysis; EPSS is low (0.23%, 14th percentile) and SSVC marks exploitation as 'none' despite a CVSS of 9.1.
Server-side request forgery in Activepieces through version 0.83.0 enables authenticated remote attackers to coerce the server into issuing arbitrary HTTP requests to attacker-controlled destinations via the `handleUrlFile` function in the File URL Handler component. The vulnerability spans the entire documented release history from 0.1 to 0.83.0, and a public exploit write-up is available on GitHub, materially lowering the exploitation barrier. The vendor did not respond to responsible disclosure, meaning no patch has been released at time of analysis and no official remediation guidance exists.
Server-side request forgery in LiteLLM's experimental MCP OpenAPI Spec Loader allows authenticated remote attackers to coerce the server into issuing arbitrary HTTP requests by supplying a malicious `spec_path` value to the `load_openapi_spec_async` function. Affected versions are LiteLLM 1.82.0 through 1.82.2 as confirmed by EUVD. A public proof-of-concept exploit exists on GitHub, though the vulnerability is not in CISA KEV and the CVSS 4.0 score of 2.1 with E:P modifier reflects low-severity, authenticated exploitation with a known but apparently limited threat footprint.
Server-side request forgery in BerriAI LiteLLM versions up to 1.82.2 allows authenticated remote attackers to induce the proxy server to make arbitrary outbound HTTP requests by manipulating the MCP (Model Context Protocol) Server Connection Testing endpoint. The vulnerable function `_execute_with_mcp_client` in the experimental MCP server component fails to validate or restrict user-supplied connection targets, enabling internal network probing, potential access to cloud metadata services, and circumvention of network segmentation controls. A publicly available proof-of-concept exploit exists (GitHub gist by YLChen-007); no CISA KEV listing was present at time of analysis. The CVSS 4.0 reported score of 2.1 reflects threat-metric downgrade from E:P (proof-of-concept) and should not be taken as indicative of low inherent exploitability - the base network vector with low-privilege access represents a meaningful internal network exposure risk.
Full-read SSRF in AVideo through version 27.0 allows authenticated administrators to make the server fetch arbitrary URLs via the statsURL parameter in plugin/Live/test.php, including cloud metadata endpoints and internal network services. The endpoint bypasses the codebase's own isSSRFSafeURL() guard - used in seven other endpoints - and returns full response bodies in the HTML output, enabling retrieval of IAM credentials from cloud metadata services such as 169.254.169.254, internal service data, and network configuration details. No public exploit code has been formally labeled as proof-of-concept, but the GHSA advisory discloses the complete vulnerable code path with all three sink functions (file_get_contents, curl_exec, wget), making exploitation trivial for any party who has read the advisory.
Server-side request forgery in Capgo's webhook URL validation exposes internal infrastructure to organization admins who can direct the backend to issue HTTP requests against loopback and private addresses (localhost, 127.0.0.1). All Capgo versions prior to 12.128.2 are affected per the GitHub Security Advisory GHSA-48hc-53hv-6x3f. The vulnerability is particularly dangerous in cloud-hosted deployments where the backend server can reach instance metadata services (e.g., AWS IMDS), and error responses are disclosed directly to the triggering user, enabling iterative internal network reconnaissance. No public exploit identified at time of analysis and no CISA KEV listing, but the authenticated-admin attack path lowers the effective barrier in multi-tenant SaaS environments.
Flowise before 2.1.4 allows configuration to be injected into the Chainflow during execution via the overrideConfig option, supported in both the frontend web integration and the backend Prediction. Rated critical severity (CVSS 9.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Code Injection vulnerability could allow attackers to inject and execute arbitrary code within the application.
Incomplete SSRF remediation in mailpit v1.29.2 through v1.30.1 leaves the Link Check API bypassable via IPv6 transition mechanism literals (6to4, NAT64, IPv4-compatible IPv6, ISATAP, Teredo) and unclassified IPv6 prefixes (fec0::/10, 2001:db8::/32) that Go's stdlib Is* classification helpers silently pass. An unauthenticated network attacker who can deliver email to mailpit's SMTP listener and invoke the Link Check API can coerce the application into dialing internal IPv4 destinations - including cloud metadata endpoints at 169.254.169.254 - by encoding the target as an IPv6 literal that returns false for all seven predicates in IsInternalIP, bypassing the guard introduced for CVE-2026-27808. Publicly available exploit code exists in the form of a reproducible unit test and end-to-end proof-of-concept published in the advisory; this is the same deny-list bypass class confirmed in CVE-2026-44430 (MCP Registry) and CVE-2026-45741 (Gotenberg).
Server-Side Request Forgery and arbitrary JavaScript injection in Craft CMS 4.x (before 4.18) and 5.x (before 5.10) allow remote unauthenticated attackers to poison the Host or X-Forwarded-Host header against the /actions/app/resource-js endpoint, forcing the backend Guzzle client to proxy attacker-controlled content as application/javascript. When the instance sits behind a caching layer, this chains into web cache poisoning, stored XSS in the Control Panel, and 1-click RCE via session-riding the plugin install action. No public exploit identified at time of analysis, though the GitHub Security Advisory (GHSA-c55v-343g-5xff) provides detailed exploitation mechanics.
Server-Side Request Forgery in Mercator's CVE configuration panel allows authenticated users holding the low-privilege 'configure' permission to coerce the application server into issuing arbitrary outbound network requests to any internal or external host. Affected versions prior to 2025.05.19 pass user-supplied URLs directly to curl_init() in ConfigurationController::testProvider() with no scheme, hostname, or private-IP validation; the intended /api/dbInfo suffix restriction is trivially defeated by appending a # fragment character, granting full URL control. Support for the telnet:// scheme enables internal TCP port scanning, while gopher:// permits raw protocol-level interaction with unauthenticated internal services such as Redis and Memcached, creating a realistic path to Remote Code Execution on those systems under common deployment conditions. No public exploit code or CISA KEV listing has been identified at time of analysis.
Server-Side Request Forgery in AWX's GitHub webhook integration (Red Hat Ansible Automation Platform 2) enables a remote attacker possessing a job template's webhook_key to redirect PAT-bearing status callbacks to an attacker-controlled endpoint, exfiltrating the configured GitHub Personal Access Token. The attack exploits AWX's failure to validate that the pull_request.statuses_url field in an incoming webhook payload points to a legitimate GitHub API domain before using it as a POST target. No public exploit is identified at time of analysis, but successful exploitation yields persistent GitHub repository access through the stolen PAT, extending the blast radius well beyond the AWX system itself.
PhpWeasyPrint (pontedilana/php-weasyprint) prior to version 2.6.0 enables server-side request forgery and local file disclosure through its `attachment` option, which passes any URL-shaped value through PHP's `file_get_contents()` without restricting the URL scheme. Applications that expose the `attachment` option to user-controlled input allow an attacker to probe internal HTTP endpoints (including cloud instance metadata services) and read arbitrary local files by supplying schemes such as `file://` or `php://filter/...`, with exfiltrated content embedded directly into the generated PDF output. This is the same vulnerability class patched in KnpLabs/snappy (GHSA-c5fp-p67m-gq56); no public exploit or CISA KEV listing exists at time of analysis.
Unauthenticated callers can trigger server-side request forgery against NL Portal Backend Libraries (nl.nl-portal:form versions 1.1.0.RELEASE through 3.0.3) by invoking the public GraphQL resolvers `getFormDefinitionByObjectenApiUrl` or `getFormDefinitionById`, causing the backend to issue outbound HTTP requests bearing a privileged Objecten-API `Authorization: Token` header to a caller-influenced URL on the configured Objecten-API host. The SSRF is constrained to the same configured host by a host-equality guard, and arbitrary data disclosure is further limited by strict typed deserialization in Kotlin, which keeps practical real-world impact at Medium despite unauthenticated network access. A lab proof-of-concept was confirmed by the reporter against the real Spring WebFlux stack; no public exploit code has been independently identified and the vulnerability is not listed in CISA KEV.
Server-Side Request Forgery in the Bit Integrations WordPress plugin (all versions through 2.8.7) allows unauthenticated attackers to force the web server to issue arbitrary HTTP requests to internal or external locations via the upload_attachment function. Exploitation enables querying and modifying data from internal services reachable by the web server, including metadata services in cloud environments, internal APIs, or private network endpoints. No public exploit is identified at time of analysis, but the attack requires only a default integration configuration, substantially lowering the practical barrier to exploitation.
Server-Side Request Forgery in the Advanced Import WordPress plugin (all versions through 1.4.6) allows authenticated users holding Author-level access or higher to force the web server to issue HTTP requests to arbitrary internal or external URLs via the demo_download_and_unzip() AJAX handler. The critical design flaw is the inconsistent use of wp_remote_get() instead of WordPress's own wp_safe_remote_get() - which the plugin correctly employs elsewhere - meaning no SSRF-aware URL validation is applied to the 'demo_file' POST parameter when 'demo_file_type' is set to 'url'. No public exploit code has been identified at time of analysis, but the scope change in the CVSS vector reflects that successful exploitation escapes the WordPress application boundary and can reach internal network services, including cloud instance metadata endpoints such as AWS IMDSv1.
Unauthenticated SSRF in signalk-server ≤2.27.0 allows remote attackers to force the server to make arbitrary HTTP/HTTPS requests to any destination, including RFC 1918 private ranges, loopback, and cloud metadata services at 169.254.169.254. On default installations where no admin user has been created, the security middleware is a no-op, meaning all three vulnerable endpoints are completely unauthenticated over the network. A detailed public PoC is included in the GitHub advisory demonstrating internal network scanning, AWS IAM credential theft via IMDSv1, and path-traversal-assisted targeted data exfiltration; no CISA KEV listing is present at time of analysis.
Server-side request forgery in Gotenberg v8.33.0 and earlier allows remote unauthenticated attackers to coerce the server into making arbitrary outbound HTTP(S) requests and to disclose local image files by uploading a crafted DOCX to the /forms/libreoffice/convert endpoint. The flaw stems from LibreOffice automatically resolving external and local resources referenced in <img> tags during conversion, exposing internal networks and on-disk image files. Publicly available exploit code exists via the vendor's GHSA-2mrg-35hw-x3x9 advisory, though no CISA KEV listing or EPSS data is available at time of analysis.
Server-Side Request Forgery in Zitadel's outgoing HTTP subsystems - HTTP Notification Channel webhooks, OIDC BackChannel Logout endpoints, and SAML Metadata URL fetches - enables authenticated users with application configuration privileges to force the Zitadel server to issue HTTP requests to internal network addresses, loopback interfaces, and cloud metadata endpoints such as the link-local IMDSv1 address 169.254.169.254. The pre-existing denylist for the Actions subsystem was additionally bypassable via DNS rebinding (TOCTOU), HTTP redirect following, and HTTPS-to-HTTP protocol downgrade, and all three newly affected components lacked denylist coverage entirely. No public exploit code has been identified at time of analysis; however, the vulnerability was independently reported by 13+ researchers, and a vendor patch is available in v4.15.2 with no backport for the v3.x branch.
Server-Side Request Forgery in the CF7 to Webhook WordPress plugin (versions up to and including 5.0.0) allows unauthenticated attackers to coerce the WordPress server into issuing arbitrary outbound HTTP requests through the pull_the_trigger functionality. Exploitation is conditional on an administrator configuring the webhook URL with a Contact Form 7 field placeholder inside the host portion of the URL, with the form publicly reachable. No public exploit identified at time of analysis, and there is no CISA KEV listing for this vulnerability.
Server-side request forgery in Typebot chatbot builder before version 3.17.2 allows remote unauthenticated attackers to bypass SSRF protections via DNS rebinding, reaching internal services and cloud metadata endpoints. The validator resolves a hostname once for allowlist checks, but the subsequent HTTP request performs a fresh DNS resolution without IP pinning, creating a time-of-check to time-of-use (TOCTOU) gap. No public exploit identified at time of analysis, though the fix commit and detailed advisory are publicly available on GitHub.
Authentication token leakage in Black Lantern Security's bbot docker_pull module exposes Docker credentials to MITM attackers who can substitute the realm parameter in a forged WWW-Authenticate Bearer challenge. When bbot contacts a Docker registry and receives a 401 response, the vulnerable module blindly trusts the attacker-supplied realm URL and forwards authentication material to an arbitrary endpoint outside the legitimate registry domain. No public exploit code has been identified and the vulnerability is not listed in CISA KEV, but an upstream patch commit is available on GitHub.
Authentication bypass in Network-AI versions 5.7.1 and earlier allows unauthenticated remote attackers to invoke all 22 MCP tools on the SSE server because the default secret is empty and `_isAuthorized()` returns true when no secret is configured. Despite the partial fix for CVE-2026-46701 in 5.4.5 (which restricted CORS to localhost origins), any non-browser caller - curl, SSRF, or a service exposed via a 0.0.0.0 bind - can still call privileged operations like `config_set`, `agent_spawn`, `blackboard_write`, and token management with zero credentials. No public exploit identified at time of analysis, but the GHSA advisory includes annotated source-code locations that effectively serve as a roadmap for exploitation.
XML External Entity injection in the HAPI FHIR core library (Maven ca.uhn.hapi.fhir:org.hl7.fhir.utilities, versions <= 6.9.9) lets an attacker who controls or MITMs XML routed through XsltUtilities.saxonTransform(...) read local files and perform blind XXE/SSRF. The three saxonTransform overloads instantiate a bare net.sf.saxon.TransformerFactoryImpl that resolves external general and parameter entities, unlike the co-located transform() siblings that use the project's hardened XXE-protected factory. Publicly available exploit code exists (a full end-to-end PoC accompanies the GitHub advisory), though there is no public exploit identified as actively used in the wild.
SSRF protection bypass in Open WebUI's SafePlaywrightURLLoader (versions <= 0.9.5) allows authenticated users to access internal network resources by supplying an externally-hosted URL that returns an HTTP 301/302 redirect to a private address. Because Playwright's page.goto() automatically follows redirects without re-validating the destination, attackers can reach localhost, container-network peers, or cloud metadata endpoints (169.254.169.254) even when ENABLE_RAG_LOCAL_WEB_FETCH=False. A working PoC is published in the GHSA advisory; there is no public exploit identified at time of analysis being actively used, and no CISA KEV listing.
Authenticated path traversal and SSRF in Open WebUI's terminal-server reverse proxy (versions <= 0.9.5) allows non-admin users with granted terminal access to escape the intended path or policy scope using double-encoded traversal sequences (%252e%252e). The flaw bypasses the project's own _sanitize_proxy_path mitigation, which performs only a single URL-decode pass before the '..' check, letting attackers reach unintended endpoints, files, and internal services routed by the terminal server. No public exploit identified at time of analysis, though the vendor advisory includes working proof-of-concept request strings.
Cross-user file disclosure in Open WebUI (pip package open-webui, versions ≤ 0.9.5) allows any authenticated user to read the content of files uploaded by other users by supplying a victim's file UUID as the image_url.url value in POST /api/chat/completions. The server's image-conversion middleware resolves the UUID against the global file table with no ownership check, base64-encodes the file, and injects it into the LLM prompt, from which the attacker reads the content via a transcription instruction. No KEV listing confirms active exploitation, but a complete step-by-step reproduction proof-of-concept is embedded in the public GitHub Security Advisory (GHSA-wch8-mhj5-9frg), materially increasing exploitation likelihood; the vendor-released fix is version 0.9.6.
Server-side request forgery in Open WebUI versions 0.9.5 and earlier allows authenticated OAuth users to read arbitrary internal HTTP responses by abusing the `_process_picture_url` function in `backend/open_webui/utils/oauth.py`, which validates only the initial URL and then permits aiohttp's default 10-redirect follow chain to reach internal addresses. The decoded response body is stored in the attacker's `profile_image_url` and retrievable via `GET /api/v1/auths/`, yielding cloud metadata credentials and access to localhost-bound services. Publicly available exploit code exists (detailed sentinel-verified PoC supplied by the reporter); no public exploit identified at time of analysis in the form of weaponized tooling, and the CVE is not on the CISA KEV list.
Server-Side Request Forgery in NocoDB's base-migration endpoint allows authenticated workspace owners to coerce the migration worker into issuing requests using arbitrary URL schemes - including file:// and ftp:// - enabling local file disclosure and interaction with non-HTTP services. The affected package is pkg:npm/nocodb at versions up to and including 0.301.3; no released patched version has been confirmed at time of analysis. Exploitation is constrained to principals holding the workspace owner role, but within that privilege tier no additional conditions are required to trigger the vulnerability. No public exploit code or active exploitation (CISA KEV) has been identified at time of analysis.
Server-Side Request Forgery in NocoDB's spreadsheet-fetch endpoint (`axiosRequestMake`) allows authenticated users with editor-level permissions to coerce the NocoDB server into issuing HTTP requests to cloud metadata services (e.g., AWS IMDSv1 at `169.254.169.254`) and other internal network resources reachable from the NocoDB process. Two distinct defensive failures enabled the attack: an un-anchored file-extension allowlist that accepted `.xlsx` anywhere in the URL path, and a hand-rolled IP blocklist that omitted `127.0.0.0/8` and `169.254.0.0/16`. On cloud-hosted deployments, this functions as a credential-exfiltration primitive. No public exploit has been identified at time of analysis, but the attack pattern is trivially reproducible from the advisory text alone.
Server-Side Request Forgery in Pydantic AI (versions 1.56.0-1.101.0, 2.0.0b1, 2.0.0b2) allows unauthenticated network attackers to bypass the cloud-metadata IP blocklist by encoding metadata service addresses (e.g., 169.254.169.254) in IPv6 transition forms - specifically IPv4-compatible IPv6, NAT64 RFC 8215 local-use prefixes, operator-chosen NAT64 prefixes, and ISATAP - that the prior remediation (CVE-2026-46678) failed to decode, enabling retrieval of cloud IAM short-term credentials. Exploitation is constrained by two simultaneous prerequisites: the application must use the non-default `force_download='allow-local'` mode and must operate on a network that routes the affected IPv6 transition forms (e.g., IPv6-only or dual-stack-with-NAT64 Kubernetes clusters). This is the third iteration in an escalating bypass chain (CVE-2026-25580 → CVE-2026-46678 → CVE-2026-48782), and no public exploit has been identified at time of analysis.
Unauthenticated server-side request forgery in Crawl4AI's Docker API server (versions < 0.8.9) lets remote attackers reach internal services and cloud-metadata endpoints by supplying a proxy address that bypasses the crawl-URL validation. Because the Docker API is unauthenticated by default and the SSRF check was only applied to the crawl target - not to the proxy destination - an attacker can route Chromium's egress through an internal IP (e.g. AWS IMDSv1 at 169.254.169.254) and read the response verbatim from the crawl result. No public exploit is identified at time of analysis, but the reporter supplied a working PoC and EPSS risk is low (0.29%, 20th percentile).
Server-Side Request Forgery in Crawl4AI's Docker API server (versions <= 0.8.7) allows unauthenticated remote attackers to bypass the IPv4/IPv6 CIDR blocklist in validate_webhook_url/validate_url_destination by using IPv6 transition forms (NAT64, 6to4, IPv4-mapped, IPv4-compatible) or the unspecified address. Since the Docker API ships with jwt_enabled:false by default, attackers can pivot the server into fetching cloud metadata endpoints like 169.254.169.254, potentially exposing IAM credentials. No public exploit identified at time of analysis, but the upstream advisory (GHSA-4qqr-vv2q-cmr5) details the exact bypass payloads.
Unauthenticated server-side request forgery in LobeHub's `/webapi/proxy` endpoint (versions <= 2.1.56) allows any remote attacker to proxy arbitrary HTTP requests through LobeHub's infrastructure and inject attacker-controlled `Set-Cookie` headers onto the `lobehub.com` domain. The flaw stems from the route handler omitting the `checkAuth()` wrapper that protects every other webapi route, enabling SSRF, infrastructure reconnaissance against Vercel internals, and a CSRF-to-session-fixation chain against Clerk auth cookies. Publicly available exploit code exists (working curl PoCs and a CSRF HTML PoC are included in the GitHub Security Advisory GHSA-xmwj-c75x-6346); no public exploit identified at time of analysis in CISA KEV.
HTTP redirect validation bypass in Hugo v0.91.0-v0.161.1 allows the `resources.GetRemote` build-time HTTP client to follow 3xx redirects to hosts explicitly forbidden by the `security.http.urls` allow-list, enabling server-side request forgery (SSRF) against internal network targets. Build pipelines that rely on `security.http.urls` as a trust boundary - for example, CI systems that fetch from semi-trusted external hosts while restricting access to internal metadata services or private IP ranges - are the primary risk population. No public exploit has been identified at time of analysis, and exploitation requires an attacker to control or manipulate an already-permitted external host.
WebSocket connections in Deno 2.8.0 and earlier silently bypass `--deny-net` network sandbox rules by exploiting a missing post-DNS-resolution IP check - the runtime validates the destination hostname but never validates the IP address that hostname resolves to, enabling a classic DNS-rebinding-style SSRF (CWE-918) within the permission system. Any script running under `deno run` with `--deny-net` restrictions can weaponize an attacker-controlled domain to reach blocked hosts such as localhost or cloud metadata endpoints (e.g., 169.254.169.254). No public exploit has been identified at time of analysis, and the issue is specific to the WebSocket API; `Deno.connect` and `fetch()` are addressed in a companion advisory.
Regex translation in the @astrojs/netlify adapter broadens Astro's image.remotePatterns beyond the intended allowlist when building for Netlify deployment, enabling unauthorized image fetches from apex hosts and deeper URL paths. Versions of @astrojs/netlify prior to 7.0.13 (confirmed vulnerable at 7.0.10) generate Netlify Image CDN regex patterns that make wildcard subdomains optional and omit end-anchoring on pathname segments, causing the Netlify CDN to accept URLs that Astro's canonical matcher would reject. Unauthenticated public requesters can exploit this to cause the Netlify Image CDN to fetch image-like resources from hosts or paths outside the developer's intended scope, constituting a partial SSRF bypass against the image proxy allowlist. No active exploitation has been confirmed in CISA KEV, but a detailed reproduction is included in the GHSA advisory.
{scheme}://{host}{path}` without validating the path prefix, and RFC 3986 §3.2.1 re-parsing then interprets the `@` symbol as a userinfo delimiter, shifting hostname authority to the attacker-supplied value. Exploitation is constrained to middleware or 404/exception handlers that act on `request.url` before routing, since the malformed path matches no registered route; no active exploitation is confirmed (not in CISA KEV) and no public exploit code beyond the advisory PoC has been identified.
Server-Side Request Forgery (SSRF) in the PopAd WordPress plugin by Vynnus allows an authenticated administrator to cause the server to make forged outbound HTTP requests to arbitrary destinations, including internal network resources. All versions through 1.0.4 are affected per CPE data (cpe:2.3:a:vynnus:popad). The scope change (S:C) in the CVSS vector confirms that successful exploitation can reach systems beyond the WordPress host itself, enabling lateral pivoting into internal infrastructure. No public exploit identified at time of analysis.
Server-side request forgery in Starlette's StaticFiles on Windows allows unauthenticated remote attackers to coerce the application process into making outbound SMB connections to attacker-controlled hosts, leaking the service account's NTLMv2 hash for offline cracking or NTLM relay. The flaw affects all Starlette versions before 1.1.0 (including downstream frameworks like FastAPI) when running on Windows in the default follow_symlink=False configuration, and no public exploit identified at time of analysis though the GHSA advisory provides full technical detail sufficient to reproduce.
Server-side request forgery in @angular/platform-server allows remote unauthenticated attackers to bypass the allowedHosts allowlist by sending a malformed Host header or absolute-form request URI (e.g., 'evil.com:80:80'), causing the SSR runtime to redirect outbound HttpClient requests to attacker-controlled origins. The flaw stems from a parser differential between Node's strict WHATWG URL parser (used for allowlist validation) and Domino's lenient parser (used for DOM origin resolution). No public exploit identified at time of analysis, but proof-of-concept patterns are documented in the GitHub Security Advisory GHSA-xrxm-cp7j-8xf6.
Server-side request forgery in python-utcp 1.1.0's utcp-gql and utcp-websocket components allows remote low-privileged attackers to coerce the server into issuing arbitrary outbound HTTP requests, potentially reaching internal infrastructure not exposed to the public internet. The affected library implements the universal-tool-calling-protocol and the vulnerable code paths reside in its GraphQL and WebSocket transport handlers. A public exploit has been disclosed via GitHub, and the vendor did not respond to coordinated disclosure, leaving no official patch available at time of analysis.
An authenticated Server-Side Request Forgery (SSRF) in the custom scraper subsystem component of Benjamin Jonard Koillection v1.8.0 allows attackers to scan internal resources via supplying a crafted URL.
Server-side request forgery in Shlink v5.0.1's automatic short URL title resolution allows remote unauthenticated attackers to probe internal network resources by submitting a crafted longUrl value. The flaw carries a CVSS 9.1 rating reflecting high confidentiality and integrity impact, though EPSS exploitation probability remains low at 0.15% and there is no public exploit identified at time of analysis beyond a referenced gist. Shlink is a self-hosted URL shortener, making this a meaningful pivot point for attackers targeting internal infrastructure behind the shortener host.
Credential exposure via SSRF in OpenClaw's message.action forwarding allows authenticated remote attackers to redirect Gateway token-bearing action payloads to attacker-supplied loopback URLs, resulting in full confidentiality compromise of Gateway credentials. Affected versions are all OpenClaw releases prior to 2026.5.2; the flaw is rooted in insufficient validation of model-controlled metadata that governs action routing. No public exploit code has been identified and this CVE is not listed in the CISA KEV catalog at time of analysis, though the Gateway credential theft impact warrants prompt patching in any deployment where OpenClaw interacts with privileged backend services.
Server-Side Request Forgery in ApostropheCMS through version 4.30.0 allows unauthenticated remote attackers to pivot the Node.js application process into issuing outbound HTTP requests to arbitrary hosts on the internal network when the `prettyUrls` SEO feature is explicitly enabled on the `@apostrophecms/file` module. The attack exploits the raw `Host` HTTP request header, which the pretty-URL handler uses verbatim to construct and `fetch()` an upstream URL, streaming the full HTTP response - status code, headers, and body - back to the requester. Practical impact is constrained to blind SSRF (network-topology probing via response-code and timing oracles, and verbose proxy or WAF error-body disclosure) rather than arbitrary data exfiltration; no patch exists at time of publication and no public exploit has been identified.
SSRF in Koel's radio station creation endpoint (POST /api/radio/stations) allows any authenticated non-admin user to coerce the server into issuing HEAD/GET requests to arbitrary internal hosts. The root cause is a missing Laravel `bail` keyword in the URL field validation chain: the SafeUrl rule correctly rejects private/reserved addresses, but without bail, the subsequent HasAudioContentType rule still executes and makes an outbound HTTP request to the attacker-supplied URL. Vendor-released patch version 9.7.1 resolves the issue; no public exploit or CISA KEV listing exists at time of analysis.
Server-Side Request Forgery in GeoServer 2.26.x prior to 2.26.4 and 2.27.x prior to 2.27.3 allows unauthenticated remote attackers to coerce the server into issuing HTTP requests to attacker-chosen destinations by abusing weak prefix matching of the proxy base URL inside the XML entity resolver. No public exploit identified at time of analysis, and EPSS exploitation probability sits at 0.06% (19th percentile), but the trivial network-only attack vector and default-enabled ENTITY_RESOLUTION_ALLOWLIST since 2.25.0 raise the realistic exposure for internet-facing instances.
Server-side request forgery in OpenClaw's Playwright-backed browser control allows authenticated low-privilege users to circumvent private-network navigation guards by chaining action-triggered redirects through the Playwright act interaction mechanism. All OpenClaw versions prior to 2026.5.18 are affected, and subsequent browser evaluation APIs can be abused to read the content of private-network pages - including internal services, admin panels, or cloud metadata endpoints reachable from the server. No public exploit code and no CISA KEV listing have been identified at time of analysis; however, the subsequent-system confidentiality impact is rated High in the CVSS 4.0 vector, reflecting meaningful data-disclosure potential in cloud-hosted or internally networked deployments.
Server-side request forgery in steipete/Summarize before v0.17.0 enables an attacker who controls a podcast RSS feed to coerce the application into fetching transcript content from loopback addresses, link-local addresses, RFC 1918 private ranges, and other reserved destinations. The vulnerability is compounded by two bypass mechanisms: DNS rebinding (allowing an attacker to pass an initial hostname check then resolve to an internal target) and unvalidated redirect-following (where intermediate redirect targets are never re-screened). Exploitation exposes internal service responses through the summarization pipeline to the attacker. No active exploitation is confirmed (not in CISA KEV), and no public exploit code has been identified; a vendor patch is available as v0.17.0.
Server-side request forgery in Garlic-Hub digital signage manager prior to version 1.1 allows authenticated users to coerce the server into issuing arbitrary HTTP requests to internal services via the uploadFromUrl endpoint. Responses are stored in the publicly accessible media pool, enabling internal port scanning, service fingerprinting, and exfiltration of internal HTTP responses. No public exploit identified at time of analysis, but the upstream commit (076b6d7) and GHSA-x24v-76hr-989r advisory disclose the patched validator logic.
Server-side request forgery in the Fediverse Embeds WordPress plugin before 1.5.8 lets any unauthenticated visitor coerce the WordPress host into issuing arbitrary outbound HTTP requests and returns the full response body to the caller, turning the site into a full-read open proxy. The flaw stems from the ftf/media-proxy REST route being registered with permission_callback => __return_true and a dead allowlist check whose result was never honored before wp_remote_get was invoked on a base64-decoded attacker-supplied URL. No public exploit identified at time of analysis, but the bug is trivial to weaponize against internal cloud metadata endpoints and intranet services from any reachable WordPress install.
Server-Side Request Forgery in the Fediverse Embeds WordPress plugin (versions prior to 1.5.9) allows any unauthenticated visitor to cause the WordPress server to fetch an arbitrary URL by abusing a publicly exposed AJAX endpoint. The nonce mechanism guarding the endpoint (`ftf-fediverse-embeds-nonce`) is not an authentication boundary - the same nonce is embedded into every public page containing a fediverse embed, making it trivially obtainable by any site visitor. Once obtained, the nonce can be replayed to invoke `file_get_html($site_url)` with an attacker-controlled URL, potentially exposing internal services such as cloud provider metadata endpoints. No active exploitation has been confirmed (CVE is not in CISA KEV) and no public proof-of-concept has been identified at time of analysis.
Server-side request forgery in Kolibri (pip/kolibri <= 0.19.3) allows network-reachable attackers to force the Kolibri server to issue outbound HTTP requests to arbitrary internal hosts, cloud metadata endpoints, and internal services, with JSON response bodies reflected directly to the caller. The primary GET endpoint at /api/auth/remotefacilityuser required no authentication whatsoever, making this exploitable by any party with network access to the Kolibri server. A working proof-of-concept was retained internally by the reporting researcher but was not published; no public exploit code exists and CISA KEV listing has not been identified at time of analysis.
Server-side request forgery in IBM Langflow Desktop 1.0.0 through 1.9.2 enables authenticated network-based attackers to coerce the application into issuing arbitrary outbound HTTP requests on their behalf. The vulnerability, classified under CWE-918, can expose internal network topology by proxying requests through the server to otherwise inaccessible hosts, and may serve as a stepping stone for further lateral movement or credential harvesting from cloud metadata services. No public exploit code has been identified at time of analysis, and a vendor-released patch is available via IBM advisory.
Server-Side Request Forgery (SSRF) in GitLab CE/EE's repository import feature allows an authenticated low-privileged user to read arbitrary files from the backend Gitaly server and probe internal network resources by supplying maliciously crafted secondary URLs that bypass input validation. Affected versions span the 18.10, 18.11, and 19.0 release lines, all patched by GitLab on 2026-06-10. No public exploit code and no CISA KEV listing have been identified at time of analysis, though the combination of authentication-only gating and network-accessible entry point makes this a meaningful lateral-movement risk in self-managed GitLab deployments.
Server-Side Request Forgery in Spring Web Services (versions 3.1.0-3.1.8, 4.0.0-4.0.18, 4.1.0-4.1.3, and 5.0.0-5.0.1) allows remote unauthenticated attackers to coerce the server into initiating outbound HTTP connections to attacker-controlled or internal destinations by abusing WS-Addressing ReplyTo/FaultTo headers. The flaw stems from WebServiceMessageSender instances dispatching to destinations taken directly from SOAP request headers without validating that the targets are safe. No public exploit identified at time of analysis, and the issue is not listed in CISA KEV.
Server-Side Request Forgery in the Fedify ActivityPub library (versions 0.11.2 through 2.2.3, with branch-specific cutoffs) allows remote attackers to coerce outbound fetches to non-public IPv4 destinations because the `isValidPublicIPv4Address()` allow-list misses several reserved, multicast, benchmarking, and CGNAT ranges. This is an incomplete-fix bypass of the SSRF mitigation originally tracked as GHSA-p9cg-vqcc-grcx, and at time of analysis there is no public exploit identified, though the underlying logic and patch diff are publicly disclosed in the GHSA-xw9q-2mv6-9fr8 advisory. Federated servers built on Fedify are exposed whenever they fetch attacker-controlled ActivityPub documents or media.
Server-side request forgery in the Open Health Imaging Foundation (OHIF) DICOM Web Viewer Framework lets an attacker exfiltrate an authenticated user's OIDC Bearer token by abusing the default-enabled DICOMWebProxy and DICOMJSON data sources, which fetch an attacker-supplied URL without validation while OHIF's global auth service silently attaches the victim's token to the outbound request. Any authenticated user lured into loading a malicious viewer link sends their live credential to an attacker-controlled host, enabling identity takeover against the PACS or backend. No public exploit identified at time of analysis and the issue is not on CISA KEV, but the high-impact token leakage and default-configuration exposure make it a meaningful credential-theft risk.
Privilege escalation via broken authorization in Netflix Lemur (versions <= 1.9.0) lets any authenticated user - including the shipped lowest-privilege `read-only` role - perform admin-only certificate-management actions. Because the `StrictRolePermission` and `AuthorityCreatorPermission` classes were instantiated with an empty Need set when their config flags were left at the default `False`, Flask-Principal's `allows()` returns True for every identity, removing the only role gate in front of CA creation, certificate upload, notification (SSRF sink) management, and domain registry edits. No public exploit identified at time of analysis and the issue is not in CISA KEV, but exploitation requires only a single low-privilege credential, making it a direct pivot to control of the PKI issuance plane.
Server-side request forgery in MaxKB before 2.10.0 allows any authenticated user holding the default workspace USER role to coerce the application server into making arbitrary HTTP requests to attacker-controlled destinations via the `downloadCallbackUrl` and `download_url` parameters on ToolSerializer endpoints. An attacker can pivot through the MaxKB host to probe and extract data from internal network services - cloud metadata APIs, internal databases, adjacent microservices - that would otherwise be inaccessible from outside the network perimeter. A public proof-of-concept exists at GitHub issue #6272; this is not confirmed actively exploited (not in CISA KEV).
Server-side request forgery in NewsBlur's add_url endpoint allows any authenticated user to direct the server to issue arbitrary HTTP requests to private, loopback, or link-local addresses, including cloud instance metadata services. All NewsBlur deployments prior to version 14.5.0 (CPE: cpe:2.3:a:samuelclay:newsblur) are affected. An attacker with a valid account can supply a URL resolving to 169.254.169.254 or other internal addresses, enabling exfiltration of cloud provider IAM credentials and internal network reconnaissance. No public exploit identified at time of analysis, though patch commits are publicly available on GitHub and document the exact missing validation check.
Server-side request forgery in Huly Platform's /import endpoint allows authenticated workspace users to coerce the front pod into making arbitrary HTTP requests to internal infrastructure. Any valid workspace account can supply attacker-controlled URLs; the server fetches them, leaking internal service responses - including cloud metadata credentials - back to the attacker. A publicly available exploit exists per the GitHub issue tracker, though active exploitation has not been confirmed by CISA KEV. The CVSS 4.0 vector assigns SC:H, flagging high confidentiality impact on subsequent (internal) systems as the primary risk.
Server-side request forgery in ToolJet's RestAPI data source (versions prior to 3.20.178-lts) allows a low-privileged platform user to reach internal network endpoints because the private-IP filter validates only the hostname string rather than the resolved IP. By supplying a DNS name such as 169.254.169.254.nip.io, an attacker bypasses the filter and forces the server to query the Azure IMDS link-local endpoint, enabling theft of managed-identity tokens for the backing AKS production cluster. No public exploit identified at time of analysis and the issue is not in CISA KEV, but the cloud-credential impact makes it a high-value SSRF.
Server-side request forgery in LibreChat before 0.8.4-rc1 lets any authenticated user point a custom OpenAI-compatible endpoint baseURL at internal network addresses, because the URL is used to build HTTP requests with no SSRF validation whatsoever - no private-IP blocking, no scheme restriction, and no DNS pinning. By abusing the legitimate custom-endpoint feature, a logged-in user can coerce the server into reaching internal-only services and returning their responses, with a CVSS 3.1 score of 7.7 driven by a changed scope and high confidentiality impact. There is no public exploit identified at time of analysis and the issue is not in CISA KEV, but the trivial low-complexity nature makes it readily exploitable once an account exists.
NONET network restriction bypass in Nokogiri's JRuby implementation permits external resource fetching during XML Schema parsing despite the default network-blocking parse option being set, exposing applications to potential SSRF and XXE attacks. Only JRuby-based deployments are affected - CRuby users are fully protected because libxml2's xmlNoNetExternalEntityLoader enforces NONET at the I/O layer independently of Nokogiri's option handling. Rated low severity by maintainers (CVSS 2.6); vendor-released patch is available in version 1.19.4, and no public exploit has been identified at time of analysis.
HTML injection into server-side PDF rendering contexts in Pretix enables low-privileged authenticated users to embed external image references that trigger outbound HTTP requests from the rendering engine, leaking the server's network identity and creating an SSRF vector against internal network services. The CVSS 4.0 score of 2.1 reflects genuinely low severity - exploitation requires authentication, specific content reaching PDF rendering paths, and passive user interaction to trigger PDF generation. No public exploit code exists and this vulnerability is absent from CISA KEV.
Reverse-proxy takeover in Appsmith versions prior to 2.1 lets an authenticated low-privileged user abuse server-side request forgery to reach the bundled Caddy admin API, which ships with no authentication and listens on 0.0.0.0:2019 inside the container. By forcing the Appsmith server to issue a POST /load to that internal endpoint, the attacker rewrites the live Caddy configuration and seizes control of the reverse proxy that fronts the application. No public exploit identified at time of analysis and the issue is not in CISA KEV, but the vendor-confirmed CWE-749 exposure carries a 9.9 CVSS rating.
Server-side request forgery in Appsmith prior to version 2.1 allows authenticated users to reach loopback-bound services inside the deployment container by exploiting a split code path in host validation logic. The WebClientUtils component used by REST API and GraphQL datasource plugins enforces only an exact-match string denylist, while the comprehensive address-class check covering loopback, any-local, link-local, and fc00::/7 IPv6 ranges exists solely on the SMTP plugin code path - leaving the HTTP path bypassable. No public exploit code has been identified at time of analysis, and this CVE does not appear in the CISA KEV catalog.
Server-Side Request Forgery in Mastodon before 4.5.10, 4.4.17, and 4.3.23 lets attackers coerce the server into issuing HTTP requests to loopback interfaces, reaching private resources and internal services that should be unreachable from the public internet. The flaw stems from an incomplete IP-range blocklist that omitted a range capable of resolving to local addresses. No public exploit identified at time of analysis; the upstream advisory (GHSA-crr4-7rm4-8gpw) accompanies the fixed releases.
Server-side request forgery in Ghost CMS versions 6.19.4 through 6.21.1 allows authenticated staff users to pivot the Ghost server into making arbitrary outbound HTTP requests, including to internal network hosts and cloud instance metadata endpoints. The vulnerable code path is Ghost's post re-rendering pipeline, which fetches image dimensions from URLs stored in image cards without validating those URLs against a trusted host allowlist. No public exploit has been identified at time of analysis, and a vendor-released patch is available in 6.21.1.
Full unauthenticated administrative takeover of Payara Server Full (4.x through 7.2026.x, including 6.2024.x and 6.2025.x) is achievable by chaining a Server-Side Request Forgery in the Admin GUI's DownloadServlet with the absence of CSRF protection (CWE-352). An attacker who lures a logged-in administrator into a crafted request exfiltrates the admin REST session token (gfresttoken) to an attacker-controlled host, then replays it for full domain control and arbitrary code execution via WAR deployment. The CVSS 4.0 vector carries E:P (proof-of-concept maturity), so publicly available exploit code exists; there is no CISA KEV listing and no EPSS score in the provided data.
XML external entity (XXE) injection in the Jenkins Assembla Plugin version 1.4 and earlier lets an attacker who can control the HTTP responses of the configured Assembla server read sensitive files and secrets from the Jenkins controller and pivot into internal services via server-side request forgery. Mapped to CWE-918 (SSRF) with a CVSS 3.1 base score of 7.1 (high), there is no public exploit identified at time of analysis and CISA SSVC rates exploitation as 'none' with only partial technical impact. Exploitation requires the attacker to influence what the Assembla endpoint returns, so it is a targeted rather than mass-exploitable condition.
Server-Side Request Forgery in Pentestify 1.0.0's PDF generation endpoint enables remote attackers (PR:N per CVSS 4.0 vector) to coerce the server into issuing outbound HTTP requests to arbitrary internal or external targets, including cloud metadata services such as the AWS Instance Metadata Service at 169.254.169.254, by supplying a crafted HTTP Host header. The rendered PDF is returned to the caller, potentially leaking internal service responses or IAM role credentials. No public exploit code has been identified and no CISA KEV listing exists at time of analysis; the vulnerability is patched in version 1.1.0.
Server-side request forgery in the Kargo Takip WordPress plugin (versions through 1.2) allows unauthenticated remote attackers to coerce the site into issuing arbitrary HTTP requests via the 'api_url' parameter and to exfiltrate data from internal services. Because the plugin echoes the value of any 'auth' key from the JSON response back to the attacker, it enables direct retrieval of sensitive responses such as cloud instance metadata credentials. No public exploit identified at time of analysis, and the plugin is not listed in CISA KEV.
Server-Side Request Forgery in the WP Meta SEO WordPress plugin (all versions through 4.5.18) enables authenticated contributors to coerce the web server into issuing arbitrary outbound HTTP requests via the `new_link` parameter, with the response status code reflected back through the AJAX JSON response as `status_code`. This status-code oracle allows methodical enumeration of internal network hosts and cloud metadata services (e.g., AWS IMDSv1 at 169.254.169.254), making it particularly dangerous in cloud-hosted WordPress deployments. No public exploit identified at time of analysis, though the vulnerability is confirmed by Wordfence with direct source code references and the technique is well-understood.
Server-Side Request Forgery in the WordPress URL Preview plugin (all versions through 1.0) allows unauthenticated attackers to coerce the WordPress server into making arbitrary outbound HTTP requests via the 'url' parameter. The flaw, reported by Wordfence and tracked as CWE-918, enables querying or modifying data on internal services reachable from the WordPress host, including cloud metadata endpoints and internal admin panels. No public exploit identified at time of analysis, but the vulnerability is trivially exploitable given AV:N/AC:L/PR:N/UI:N.
Eager DNS resolution during InetSocketAddress deserialization in jackson-databind (versions 2.0.0 through pre-fix releases across the 2.18, 2.21, and 3.x lines) allows any attacker who can supply untrusted JSON to an affected endpoint to force outbound DNS lookups for attacker-chosen hostnames at readValue() time - before application validation or connect logic can intervene. This DNS-based SSRF (CWE-918) enables internal resolver probing, network topology enumeration, and DNS out-of-band interaction signals against applications that deserialize untrusted JSON into types containing InetSocketAddress fields. No public exploit code and no CISA KEV listing have been identified at time of analysis; EPSS data was not available in the provided intelligence sources.
Unauthenticated remote action execution in motionEye (pip/motioneye < 0.44.0) exposes every camera action endpoint - snapshots, recording start/stop, and administrator-configured shell scripts - to any attacker who can reach port 8765, due to a missing @BaseHandler.auth() decorator on ActionHandler.post(). Dynamically confirmed on v0.43.1 in a Docker lab environment; exploitation requires only a single HTTP POST with no credentials, headers, or user interaction. Beyond the CVSS 5.3 Medium rating, real-world impact extends to physical security bypass (PTZ, alarms, lighting controls) if action scripts are configured, and SSRF via remote camera triggering - no public exploit or CISA KEV listing is identified at time of analysis.
Server-side request forgery in Gogs versions prior to 0.14.3 allows authenticated users to bypass the migration URL blocklist by submitting a public clone URL that HTTP-redirects to internal endpoints such as 127.0.0.1, causing git clone --mirror to fetch internal repositories and import their contents into an attacker-controlled repo. Affected installations leak source code and secrets from any HTTP-reachable internal Git endpoint, and the migration job doubles as an internal network scanner. No public exploit identified at time of analysis, though the advisory contains full reproduction steps.
Server-side request forgery in OpenStack Swift's proxy-server allows authenticated users to manipulate object servers into issuing outbound HTTP requests to attacker-specified hosts. All Swift deployments running version 2.0.0 or later across all maintained release trains are affected, including the 2025.1/epoxy, 2025.2/flamingo, 2026.1/gazpacho, and development 2026.2/hibiscus branches. No public exploit has been identified at time of analysis, but successful exploitation could expose internal infrastructure topology, metadata services, or other resources reachable from the object server tier.
Server-side request forgery in Flowise's Execute Flow node allows authenticated low-privilege users to coerce the server into issuing HTTP requests to arbitrary internal network addresses by supplying intranet URLs through the base URL configuration field. All flowise and flowise-components npm versions through 3.0.13 are affected due to the Execute Flow code path never invoking the secureFetch wrapper present in httpSecurity.ts. Publicly available exploit code exists in GHSA-9hrv-gvrv-6gf2, including a concrete POST request demonstrating server-side retrieval and echo of internal service responses; no CISA KEV listing indicates active mass exploitation at time of analysis.
Local repository import and blind SSRF in Gogs versions prior to 0.14.3 allows authenticated users to bypass clone-address validation via the Mirror Settings feature. The SaveAddress path in repository Mirror Settings omitted the validation applied to New Migration, letting any authenticated user point a mirror at a local filesystem path or internal address. No public exploit identified at time of analysis beyond the reporter's PoC; not listed in CISA KEV.
Server-side request forgery in Budibase (@budibase/backend-core before 3.39.9) lets authenticated users with automation permissions bypass the SSRF blacklist via DNS rebinding, reaching loopback, RFC1918, and cloud metadata endpoints from the Budibase host. The outbound fetch helper validates a hostname's resolved IP against the blacklist but never pins that IP to the subsequent socket, so node-fetch performs a second DNS lookup that can resolve to an internal address. Because several automation steps return upstream response bodies into automation output, the result is a non-blind read primitive; publicly available exploit code (a rebinding PoC) exists, though EPSS is low (0.24%, 15th percentile) and it is not on CISA KEV.
Server-side request forgery in Gogs (self-hosted Git service) versions ≤ 0.14.2 lets a user who can configure a webhook reach internal-only network addresses by abusing HTTP redirect following. The original CVE-2022-1285 fix only blocked webhook URLs whose hostname resolves into local CIDRs, but the delivery client still chased 3xx redirects, so a webhook pointed at an attacker-controlled host that returns a 301 to http://169.254.169.254/ pivots into cloud metadata and other internal services. Publicly available exploit code exists (a working PoC against try.gogs is documented, dumping DigitalOcean droplet metadata); it is not listed in CISA KEV and no public EPSS figure is provided.
Server-Side Request Forgery (SSRF) in n8n's dynamic node parameters endpoint allows authenticated users with credential access to bypass the platform's Allowed HTTP Request Domains restriction, causing the n8n server to issue outbound HTTP requests carrying stored credentials to attacker-controlled or unauthorized hosts. All n8n deployments prior to version 2.20.0 are affected regardless of domain restriction configuration, as the restriction is not enforced on the POST /rest/dynamic-node-parameters/options endpoint. No public exploit code or CISA KEV listing has been identified at time of analysis, but the attack is low-complexity once authentication is obtained.
Server-side request forgery in Crawl4AI before 0.8.7 allows unauthenticated remote attackers to coerce the server into fetching arbitrary internal URLs via the /crawl, /crawl/stream, /md, and /llm endpoints. The product's internal-address blocklist can be bypassed using IPv6-mapped IPv4 notation (e.g., ::ffff:169.254.169.254), exposing cloud metadata services and internal infrastructure. No public exploit identified at time of analysis, but the GHSA advisory and a VulnCheck write-up document the flaw in detail.
Blind Server-Side Request Forgery in Paymenter's PayPal gateway module (versions < 1.5.0) allows remote unauthenticated attackers to coerce the application server into issuing arbitrary HTTP GET requests by supplying a malicious URL in the PAYPAL-CERT-URL HTTP header. The webhook endpoint at /extensions/paypal/webhook passes this header directly to PHP's file_get_contents() with no allowlist, domain validation, or signature pre-check, violating the security intent of PayPal's certificate verification flow. No public exploit has been identified at time of analysis, but the zero-prerequisite attack surface and public advisory disclosure make this an accessible target for any unauthenticated actor who can reach the endpoint.
Server-Side Request Forgery in OpenAM's /sessionservice endpoint allows authenticated attackers to register arbitrary URLs for session event notifications, causing the IAM server to make outbound HTTP requests to attacker-controlled destinations. Affected versions are org.openidentityplatform.openam:openam-core up to and including 16.0.6; the flaw was patched in release 16.1.1. No public exploit code or CISA KEV listing has been identified at time of analysis, but the authentication barrier is low (any valid session), and deployment context - a central enterprise authentication gateway - elevates the downstream risk of internal network reconnaissance or session data exfiltration.
Server-side request forgery in phpseclib's X.509 validation allows unauthenticated network attackers to force the validating server to open arbitrary outbound connections to attacker-controlled hosts, including internal loopback addresses (127.0.0.1) and cloud metadata endpoints (169.254.169.254). The flaw exists because X509::validateSignature() unconditionally fetches URLs embedded in the Authority Information Access extension of untrusted certificates with no blocklist or destination filtering - and this behavior is enabled by default across all three maintained release branches. No CISA KEV listing exists at time of analysis, and no weaponized public exploit was referenced, though the GitHub advisory provides exact file and line references making the trigger path immediately reproducible.
Server-Side Request Forgery in IBM Watson Speech Services Cartridge (versions 4.0.0 through 5.3.1) lets an authenticated attacker coerce the system into issuing crafted requests to internal or external hosts, enabling internal network enumeration and pivoting toward follow-on attacks. The weakness lives in the embedded IBM Sterling File Gateway component used by the speech runtimes (GHSA-rr7j-v2q5-chgv). No public exploit identified at time of analysis; EPSS is low (0.18%, 8th percentile) and CISA SSVC marks exploitation as none, so this is a patch-priority issue rather than an emergency.
Server-side request forgery in IBM WebSphere Application Server 8.5 and 9.0 allows remote unauthenticated attackers to coerce the server into issuing arbitrary outbound requests when the Ajax Proxy is configured, enabling security bypass and information disclosure. IBM has released fixes and no public exploit is identified at time of analysis; EPSS is low (0.23%, 14th percentile) and SSVC marks exploitation as 'none' despite a CVSS of 9.1.
Server-side request forgery in Activepieces through version 0.83.0 enables authenticated remote attackers to coerce the server into issuing arbitrary HTTP requests to attacker-controlled destinations via the `handleUrlFile` function in the File URL Handler component. The vulnerability spans the entire documented release history from 0.1 to 0.83.0, and a public exploit write-up is available on GitHub, materially lowering the exploitation barrier. The vendor did not respond to responsible disclosure, meaning no patch has been released at time of analysis and no official remediation guidance exists.
Server-side request forgery in LiteLLM's experimental MCP OpenAPI Spec Loader allows authenticated remote attackers to coerce the server into issuing arbitrary HTTP requests by supplying a malicious `spec_path` value to the `load_openapi_spec_async` function. Affected versions are LiteLLM 1.82.0 through 1.82.2 as confirmed by EUVD. A public proof-of-concept exploit exists on GitHub, though the vulnerability is not in CISA KEV and the CVSS 4.0 score of 2.1 with E:P modifier reflects low-severity, authenticated exploitation with a known but apparently limited threat footprint.
Server-side request forgery in BerriAI LiteLLM versions up to 1.82.2 allows authenticated remote attackers to induce the proxy server to make arbitrary outbound HTTP requests by manipulating the MCP (Model Context Protocol) Server Connection Testing endpoint. The vulnerable function `_execute_with_mcp_client` in the experimental MCP server component fails to validate or restrict user-supplied connection targets, enabling internal network probing, potential access to cloud metadata services, and circumvention of network segmentation controls. A publicly available proof-of-concept exploit exists (GitHub gist by YLChen-007); no CISA KEV listing was present at time of analysis. The CVSS 4.0 reported score of 2.1 reflects threat-metric downgrade from E:P (proof-of-concept) and should not be taken as indicative of low inherent exploitability - the base network vector with low-privilege access represents a meaningful internal network exposure risk.
Full-read SSRF in AVideo through version 27.0 allows authenticated administrators to make the server fetch arbitrary URLs via the statsURL parameter in plugin/Live/test.php, including cloud metadata endpoints and internal network services. The endpoint bypasses the codebase's own isSSRFSafeURL() guard - used in seven other endpoints - and returns full response bodies in the HTML output, enabling retrieval of IAM credentials from cloud metadata services such as 169.254.169.254, internal service data, and network configuration details. No public exploit code has been formally labeled as proof-of-concept, but the GHSA advisory discloses the complete vulnerable code path with all three sink functions (file_get_contents, curl_exec, wget), making exploitation trivial for any party who has read the advisory.
Server-side request forgery in Capgo's webhook URL validation exposes internal infrastructure to organization admins who can direct the backend to issue HTTP requests against loopback and private addresses (localhost, 127.0.0.1). All Capgo versions prior to 12.128.2 are affected per the GitHub Security Advisory GHSA-48hc-53hv-6x3f. The vulnerability is particularly dangerous in cloud-hosted deployments where the backend server can reach instance metadata services (e.g., AWS IMDS), and error responses are disclosed directly to the triggering user, enabling iterative internal network reconnaissance. No public exploit identified at time of analysis and no CISA KEV listing, but the authenticated-admin attack path lowers the effective barrier in multi-tenant SaaS environments.
Flowise before 2.1.4 allows configuration to be injected into the Chainflow during execution via the overrideConfig option, supported in both the frontend web integration and the backend Prediction. Rated critical severity (CVSS 9.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Code Injection vulnerability could allow attackers to inject and execute arbitrary code within the application.
Incomplete SSRF remediation in mailpit v1.29.2 through v1.30.1 leaves the Link Check API bypassable via IPv6 transition mechanism literals (6to4, NAT64, IPv4-compatible IPv6, ISATAP, Teredo) and unclassified IPv6 prefixes (fec0::/10, 2001:db8::/32) that Go's stdlib Is* classification helpers silently pass. An unauthenticated network attacker who can deliver email to mailpit's SMTP listener and invoke the Link Check API can coerce the application into dialing internal IPv4 destinations - including cloud metadata endpoints at 169.254.169.254 - by encoding the target as an IPv6 literal that returns false for all seven predicates in IsInternalIP, bypassing the guard introduced for CVE-2026-27808. Publicly available exploit code exists in the form of a reproducible unit test and end-to-end proof-of-concept published in the advisory; this is the same deny-list bypass class confirmed in CVE-2026-44430 (MCP Registry) and CVE-2026-45741 (Gotenberg).
Server-Side Request Forgery and arbitrary JavaScript injection in Craft CMS 4.x (before 4.18) and 5.x (before 5.10) allow remote unauthenticated attackers to poison the Host or X-Forwarded-Host header against the /actions/app/resource-js endpoint, forcing the backend Guzzle client to proxy attacker-controlled content as application/javascript. When the instance sits behind a caching layer, this chains into web cache poisoning, stored XSS in the Control Panel, and 1-click RCE via session-riding the plugin install action. No public exploit identified at time of analysis, though the GitHub Security Advisory (GHSA-c55v-343g-5xff) provides detailed exploitation mechanics.
Server-Side Request Forgery in Mercator's CVE configuration panel allows authenticated users holding the low-privilege 'configure' permission to coerce the application server into issuing arbitrary outbound network requests to any internal or external host. Affected versions prior to 2025.05.19 pass user-supplied URLs directly to curl_init() in ConfigurationController::testProvider() with no scheme, hostname, or private-IP validation; the intended /api/dbInfo suffix restriction is trivially defeated by appending a # fragment character, granting full URL control. Support for the telnet:// scheme enables internal TCP port scanning, while gopher:// permits raw protocol-level interaction with unauthenticated internal services such as Redis and Memcached, creating a realistic path to Remote Code Execution on those systems under common deployment conditions. No public exploit code or CISA KEV listing has been identified at time of analysis.
Server-Side Request Forgery in AWX's GitHub webhook integration (Red Hat Ansible Automation Platform 2) enables a remote attacker possessing a job template's webhook_key to redirect PAT-bearing status callbacks to an attacker-controlled endpoint, exfiltrating the configured GitHub Personal Access Token. The attack exploits AWX's failure to validate that the pull_request.statuses_url field in an incoming webhook payload points to a legitimate GitHub API domain before using it as a POST target. No public exploit is identified at time of analysis, but successful exploitation yields persistent GitHub repository access through the stolen PAT, extending the blast radius well beyond the AWX system itself.
PhpWeasyPrint (pontedilana/php-weasyprint) prior to version 2.6.0 enables server-side request forgery and local file disclosure through its `attachment` option, which passes any URL-shaped value through PHP's `file_get_contents()` without restricting the URL scheme. Applications that expose the `attachment` option to user-controlled input allow an attacker to probe internal HTTP endpoints (including cloud instance metadata services) and read arbitrary local files by supplying schemes such as `file://` or `php://filter/...`, with exfiltrated content embedded directly into the generated PDF output. This is the same vulnerability class patched in KnpLabs/snappy (GHSA-c5fp-p67m-gq56); no public exploit or CISA KEV listing exists at time of analysis.
Unauthenticated callers can trigger server-side request forgery against NL Portal Backend Libraries (nl.nl-portal:form versions 1.1.0.RELEASE through 3.0.3) by invoking the public GraphQL resolvers `getFormDefinitionByObjectenApiUrl` or `getFormDefinitionById`, causing the backend to issue outbound HTTP requests bearing a privileged Objecten-API `Authorization: Token` header to a caller-influenced URL on the configured Objecten-API host. The SSRF is constrained to the same configured host by a host-equality guard, and arbitrary data disclosure is further limited by strict typed deserialization in Kotlin, which keeps practical real-world impact at Medium despite unauthenticated network access. A lab proof-of-concept was confirmed by the reporter against the real Spring WebFlux stack; no public exploit code has been independently identified and the vulnerability is not listed in CISA KEV.
Server-Side Request Forgery in the Bit Integrations WordPress plugin (all versions through 2.8.7) allows unauthenticated attackers to force the web server to issue arbitrary HTTP requests to internal or external locations via the upload_attachment function. Exploitation enables querying and modifying data from internal services reachable by the web server, including metadata services in cloud environments, internal APIs, or private network endpoints. No public exploit is identified at time of analysis, but the attack requires only a default integration configuration, substantially lowering the practical barrier to exploitation.
Server-Side Request Forgery in the Advanced Import WordPress plugin (all versions through 1.4.6) allows authenticated users holding Author-level access or higher to force the web server to issue HTTP requests to arbitrary internal or external URLs via the demo_download_and_unzip() AJAX handler. The critical design flaw is the inconsistent use of wp_remote_get() instead of WordPress's own wp_safe_remote_get() - which the plugin correctly employs elsewhere - meaning no SSRF-aware URL validation is applied to the 'demo_file' POST parameter when 'demo_file_type' is set to 'url'. No public exploit code has been identified at time of analysis, but the scope change in the CVSS vector reflects that successful exploitation escapes the WordPress application boundary and can reach internal network services, including cloud instance metadata endpoints such as AWS IMDSv1.
Unauthenticated SSRF in signalk-server ≤2.27.0 allows remote attackers to force the server to make arbitrary HTTP/HTTPS requests to any destination, including RFC 1918 private ranges, loopback, and cloud metadata services at 169.254.169.254. On default installations where no admin user has been created, the security middleware is a no-op, meaning all three vulnerable endpoints are completely unauthenticated over the network. A detailed public PoC is included in the GitHub advisory demonstrating internal network scanning, AWS IAM credential theft via IMDSv1, and path-traversal-assisted targeted data exfiltration; no CISA KEV listing is present at time of analysis.
Server-side request forgery in Gotenberg v8.33.0 and earlier allows remote unauthenticated attackers to coerce the server into making arbitrary outbound HTTP(S) requests and to disclose local image files by uploading a crafted DOCX to the /forms/libreoffice/convert endpoint. The flaw stems from LibreOffice automatically resolving external and local resources referenced in <img> tags during conversion, exposing internal networks and on-disk image files. Publicly available exploit code exists via the vendor's GHSA-2mrg-35hw-x3x9 advisory, though no CISA KEV listing or EPSS data is available at time of analysis.
Server-Side Request Forgery in Zitadel's outgoing HTTP subsystems - HTTP Notification Channel webhooks, OIDC BackChannel Logout endpoints, and SAML Metadata URL fetches - enables authenticated users with application configuration privileges to force the Zitadel server to issue HTTP requests to internal network addresses, loopback interfaces, and cloud metadata endpoints such as the link-local IMDSv1 address 169.254.169.254. The pre-existing denylist for the Actions subsystem was additionally bypassable via DNS rebinding (TOCTOU), HTTP redirect following, and HTTPS-to-HTTP protocol downgrade, and all three newly affected components lacked denylist coverage entirely. No public exploit code has been identified at time of analysis; however, the vulnerability was independently reported by 13+ researchers, and a vendor patch is available in v4.15.2 with no backport for the v3.x branch.
Server-Side Request Forgery in the CF7 to Webhook WordPress plugin (versions up to and including 5.0.0) allows unauthenticated attackers to coerce the WordPress server into issuing arbitrary outbound HTTP requests through the pull_the_trigger functionality. Exploitation is conditional on an administrator configuring the webhook URL with a Contact Form 7 field placeholder inside the host portion of the URL, with the form publicly reachable. No public exploit identified at time of analysis, and there is no CISA KEV listing for this vulnerability.
Server-side request forgery in Typebot chatbot builder before version 3.17.2 allows remote unauthenticated attackers to bypass SSRF protections via DNS rebinding, reaching internal services and cloud metadata endpoints. The validator resolves a hostname once for allowlist checks, but the subsequent HTTP request performs a fresh DNS resolution without IP pinning, creating a time-of-check to time-of-use (TOCTOU) gap. No public exploit identified at time of analysis, though the fix commit and detailed advisory are publicly available on GitHub.
Authentication token leakage in Black Lantern Security's bbot docker_pull module exposes Docker credentials to MITM attackers who can substitute the realm parameter in a forged WWW-Authenticate Bearer challenge. When bbot contacts a Docker registry and receives a 401 response, the vulnerable module blindly trusts the attacker-supplied realm URL and forwards authentication material to an arbitrary endpoint outside the legitimate registry domain. No public exploit code has been identified and the vulnerability is not listed in CISA KEV, but an upstream patch commit is available on GitHub.
Authentication bypass in Network-AI versions 5.7.1 and earlier allows unauthenticated remote attackers to invoke all 22 MCP tools on the SSE server because the default secret is empty and `_isAuthorized()` returns true when no secret is configured. Despite the partial fix for CVE-2026-46701 in 5.4.5 (which restricted CORS to localhost origins), any non-browser caller - curl, SSRF, or a service exposed via a 0.0.0.0 bind - can still call privileged operations like `config_set`, `agent_spawn`, `blackboard_write`, and token management with zero credentials. No public exploit identified at time of analysis, but the GHSA advisory includes annotated source-code locations that effectively serve as a roadmap for exploitation.
XML External Entity injection in the HAPI FHIR core library (Maven ca.uhn.hapi.fhir:org.hl7.fhir.utilities, versions <= 6.9.9) lets an attacker who controls or MITMs XML routed through XsltUtilities.saxonTransform(...) read local files and perform blind XXE/SSRF. The three saxonTransform overloads instantiate a bare net.sf.saxon.TransformerFactoryImpl that resolves external general and parameter entities, unlike the co-located transform() siblings that use the project's hardened XXE-protected factory. Publicly available exploit code exists (a full end-to-end PoC accompanies the GitHub advisory), though there is no public exploit identified as actively used in the wild.
SSRF protection bypass in Open WebUI's SafePlaywrightURLLoader (versions <= 0.9.5) allows authenticated users to access internal network resources by supplying an externally-hosted URL that returns an HTTP 301/302 redirect to a private address. Because Playwright's page.goto() automatically follows redirects without re-validating the destination, attackers can reach localhost, container-network peers, or cloud metadata endpoints (169.254.169.254) even when ENABLE_RAG_LOCAL_WEB_FETCH=False. A working PoC is published in the GHSA advisory; there is no public exploit identified at time of analysis being actively used, and no CISA KEV listing.
Authenticated path traversal and SSRF in Open WebUI's terminal-server reverse proxy (versions <= 0.9.5) allows non-admin users with granted terminal access to escape the intended path or policy scope using double-encoded traversal sequences (%252e%252e). The flaw bypasses the project's own _sanitize_proxy_path mitigation, which performs only a single URL-decode pass before the '..' check, letting attackers reach unintended endpoints, files, and internal services routed by the terminal server. No public exploit identified at time of analysis, though the vendor advisory includes working proof-of-concept request strings.
Cross-user file disclosure in Open WebUI (pip package open-webui, versions ≤ 0.9.5) allows any authenticated user to read the content of files uploaded by other users by supplying a victim's file UUID as the image_url.url value in POST /api/chat/completions. The server's image-conversion middleware resolves the UUID against the global file table with no ownership check, base64-encodes the file, and injects it into the LLM prompt, from which the attacker reads the content via a transcription instruction. No KEV listing confirms active exploitation, but a complete step-by-step reproduction proof-of-concept is embedded in the public GitHub Security Advisory (GHSA-wch8-mhj5-9frg), materially increasing exploitation likelihood; the vendor-released fix is version 0.9.6.
Server-side request forgery in Open WebUI versions 0.9.5 and earlier allows authenticated OAuth users to read arbitrary internal HTTP responses by abusing the `_process_picture_url` function in `backend/open_webui/utils/oauth.py`, which validates only the initial URL and then permits aiohttp's default 10-redirect follow chain to reach internal addresses. The decoded response body is stored in the attacker's `profile_image_url` and retrievable via `GET /api/v1/auths/`, yielding cloud metadata credentials and access to localhost-bound services. Publicly available exploit code exists (detailed sentinel-verified PoC supplied by the reporter); no public exploit identified at time of analysis in the form of weaponized tooling, and the CVE is not on the CISA KEV list.
Server-Side Request Forgery in NocoDB's base-migration endpoint allows authenticated workspace owners to coerce the migration worker into issuing requests using arbitrary URL schemes - including file:// and ftp:// - enabling local file disclosure and interaction with non-HTTP services. The affected package is pkg:npm/nocodb at versions up to and including 0.301.3; no released patched version has been confirmed at time of analysis. Exploitation is constrained to principals holding the workspace owner role, but within that privilege tier no additional conditions are required to trigger the vulnerability. No public exploit code or active exploitation (CISA KEV) has been identified at time of analysis.
Server-Side Request Forgery in NocoDB's spreadsheet-fetch endpoint (`axiosRequestMake`) allows authenticated users with editor-level permissions to coerce the NocoDB server into issuing HTTP requests to cloud metadata services (e.g., AWS IMDSv1 at `169.254.169.254`) and other internal network resources reachable from the NocoDB process. Two distinct defensive failures enabled the attack: an un-anchored file-extension allowlist that accepted `.xlsx` anywhere in the URL path, and a hand-rolled IP blocklist that omitted `127.0.0.0/8` and `169.254.0.0/16`. On cloud-hosted deployments, this functions as a credential-exfiltration primitive. No public exploit has been identified at time of analysis, but the attack pattern is trivially reproducible from the advisory text alone.
Server-Side Request Forgery in Pydantic AI (versions 1.56.0-1.101.0, 2.0.0b1, 2.0.0b2) allows unauthenticated network attackers to bypass the cloud-metadata IP blocklist by encoding metadata service addresses (e.g., 169.254.169.254) in IPv6 transition forms - specifically IPv4-compatible IPv6, NAT64 RFC 8215 local-use prefixes, operator-chosen NAT64 prefixes, and ISATAP - that the prior remediation (CVE-2026-46678) failed to decode, enabling retrieval of cloud IAM short-term credentials. Exploitation is constrained by two simultaneous prerequisites: the application must use the non-default `force_download='allow-local'` mode and must operate on a network that routes the affected IPv6 transition forms (e.g., IPv6-only or dual-stack-with-NAT64 Kubernetes clusters). This is the third iteration in an escalating bypass chain (CVE-2026-25580 → CVE-2026-46678 → CVE-2026-48782), and no public exploit has been identified at time of analysis.
Unauthenticated server-side request forgery in Crawl4AI's Docker API server (versions < 0.8.9) lets remote attackers reach internal services and cloud-metadata endpoints by supplying a proxy address that bypasses the crawl-URL validation. Because the Docker API is unauthenticated by default and the SSRF check was only applied to the crawl target - not to the proxy destination - an attacker can route Chromium's egress through an internal IP (e.g. AWS IMDSv1 at 169.254.169.254) and read the response verbatim from the crawl result. No public exploit is identified at time of analysis, but the reporter supplied a working PoC and EPSS risk is low (0.29%, 20th percentile).
Server-Side Request Forgery in Crawl4AI's Docker API server (versions <= 0.8.7) allows unauthenticated remote attackers to bypass the IPv4/IPv6 CIDR blocklist in validate_webhook_url/validate_url_destination by using IPv6 transition forms (NAT64, 6to4, IPv4-mapped, IPv4-compatible) or the unspecified address. Since the Docker API ships with jwt_enabled:false by default, attackers can pivot the server into fetching cloud metadata endpoints like 169.254.169.254, potentially exposing IAM credentials. No public exploit identified at time of analysis, but the upstream advisory (GHSA-4qqr-vv2q-cmr5) details the exact bypass payloads.
Unauthenticated server-side request forgery in LobeHub's `/webapi/proxy` endpoint (versions <= 2.1.56) allows any remote attacker to proxy arbitrary HTTP requests through LobeHub's infrastructure and inject attacker-controlled `Set-Cookie` headers onto the `lobehub.com` domain. The flaw stems from the route handler omitting the `checkAuth()` wrapper that protects every other webapi route, enabling SSRF, infrastructure reconnaissance against Vercel internals, and a CSRF-to-session-fixation chain against Clerk auth cookies. Publicly available exploit code exists (working curl PoCs and a CSRF HTML PoC are included in the GitHub Security Advisory GHSA-xmwj-c75x-6346); no public exploit identified at time of analysis in CISA KEV.
HTTP redirect validation bypass in Hugo v0.91.0-v0.161.1 allows the `resources.GetRemote` build-time HTTP client to follow 3xx redirects to hosts explicitly forbidden by the `security.http.urls` allow-list, enabling server-side request forgery (SSRF) against internal network targets. Build pipelines that rely on `security.http.urls` as a trust boundary - for example, CI systems that fetch from semi-trusted external hosts while restricting access to internal metadata services or private IP ranges - are the primary risk population. No public exploit has been identified at time of analysis, and exploitation requires an attacker to control or manipulate an already-permitted external host.
WebSocket connections in Deno 2.8.0 and earlier silently bypass `--deny-net` network sandbox rules by exploiting a missing post-DNS-resolution IP check - the runtime validates the destination hostname but never validates the IP address that hostname resolves to, enabling a classic DNS-rebinding-style SSRF (CWE-918) within the permission system. Any script running under `deno run` with `--deny-net` restrictions can weaponize an attacker-controlled domain to reach blocked hosts such as localhost or cloud metadata endpoints (e.g., 169.254.169.254). No public exploit has been identified at time of analysis, and the issue is specific to the WebSocket API; `Deno.connect` and `fetch()` are addressed in a companion advisory.
Regex translation in the @astrojs/netlify adapter broadens Astro's image.remotePatterns beyond the intended allowlist when building for Netlify deployment, enabling unauthorized image fetches from apex hosts and deeper URL paths. Versions of @astrojs/netlify prior to 7.0.13 (confirmed vulnerable at 7.0.10) generate Netlify Image CDN regex patterns that make wildcard subdomains optional and omit end-anchoring on pathname segments, causing the Netlify CDN to accept URLs that Astro's canonical matcher would reject. Unauthenticated public requesters can exploit this to cause the Netlify Image CDN to fetch image-like resources from hosts or paths outside the developer's intended scope, constituting a partial SSRF bypass against the image proxy allowlist. No active exploitation has been confirmed in CISA KEV, but a detailed reproduction is included in the GHSA advisory.
{scheme}://{host}{path}` without validating the path prefix, and RFC 3986 §3.2.1 re-parsing then interprets the `@` symbol as a userinfo delimiter, shifting hostname authority to the attacker-supplied value. Exploitation is constrained to middleware or 404/exception handlers that act on `request.url` before routing, since the malformed path matches no registered route; no active exploitation is confirmed (not in CISA KEV) and no public exploit code beyond the advisory PoC has been identified.
Server-Side Request Forgery (SSRF) in the PopAd WordPress plugin by Vynnus allows an authenticated administrator to cause the server to make forged outbound HTTP requests to arbitrary destinations, including internal network resources. All versions through 1.0.4 are affected per CPE data (cpe:2.3:a:vynnus:popad). The scope change (S:C) in the CVSS vector confirms that successful exploitation can reach systems beyond the WordPress host itself, enabling lateral pivoting into internal infrastructure. No public exploit identified at time of analysis.
Server-side request forgery in Starlette's StaticFiles on Windows allows unauthenticated remote attackers to coerce the application process into making outbound SMB connections to attacker-controlled hosts, leaking the service account's NTLMv2 hash for offline cracking or NTLM relay. The flaw affects all Starlette versions before 1.1.0 (including downstream frameworks like FastAPI) when running on Windows in the default follow_symlink=False configuration, and no public exploit identified at time of analysis though the GHSA advisory provides full technical detail sufficient to reproduce.
Server-side request forgery in @angular/platform-server allows remote unauthenticated attackers to bypass the allowedHosts allowlist by sending a malformed Host header or absolute-form request URI (e.g., 'evil.com:80:80'), causing the SSR runtime to redirect outbound HttpClient requests to attacker-controlled origins. The flaw stems from a parser differential between Node's strict WHATWG URL parser (used for allowlist validation) and Domino's lenient parser (used for DOM origin resolution). No public exploit identified at time of analysis, but proof-of-concept patterns are documented in the GitHub Security Advisory GHSA-xrxm-cp7j-8xf6.
Server-side request forgery in python-utcp 1.1.0's utcp-gql and utcp-websocket components allows remote low-privileged attackers to coerce the server into issuing arbitrary outbound HTTP requests, potentially reaching internal infrastructure not exposed to the public internet. The affected library implements the universal-tool-calling-protocol and the vulnerable code paths reside in its GraphQL and WebSocket transport handlers. A public exploit has been disclosed via GitHub, and the vendor did not respond to coordinated disclosure, leaving no official patch available at time of analysis.
An authenticated Server-Side Request Forgery (SSRF) in the custom scraper subsystem component of Benjamin Jonard Koillection v1.8.0 allows attackers to scan internal resources via supplying a crafted URL.
Server-side request forgery in Shlink v5.0.1's automatic short URL title resolution allows remote unauthenticated attackers to probe internal network resources by submitting a crafted longUrl value. The flaw carries a CVSS 9.1 rating reflecting high confidentiality and integrity impact, though EPSS exploitation probability remains low at 0.15% and there is no public exploit identified at time of analysis beyond a referenced gist. Shlink is a self-hosted URL shortener, making this a meaningful pivot point for attackers targeting internal infrastructure behind the shortener host.
Credential exposure via SSRF in OpenClaw's message.action forwarding allows authenticated remote attackers to redirect Gateway token-bearing action payloads to attacker-supplied loopback URLs, resulting in full confidentiality compromise of Gateway credentials. Affected versions are all OpenClaw releases prior to 2026.5.2; the flaw is rooted in insufficient validation of model-controlled metadata that governs action routing. No public exploit code has been identified and this CVE is not listed in the CISA KEV catalog at time of analysis, though the Gateway credential theft impact warrants prompt patching in any deployment where OpenClaw interacts with privileged backend services.
Server-Side Request Forgery in ApostropheCMS through version 4.30.0 allows unauthenticated remote attackers to pivot the Node.js application process into issuing outbound HTTP requests to arbitrary hosts on the internal network when the `prettyUrls` SEO feature is explicitly enabled on the `@apostrophecms/file` module. The attack exploits the raw `Host` HTTP request header, which the pretty-URL handler uses verbatim to construct and `fetch()` an upstream URL, streaming the full HTTP response - status code, headers, and body - back to the requester. Practical impact is constrained to blind SSRF (network-topology probing via response-code and timing oracles, and verbose proxy or WAF error-body disclosure) rather than arbitrary data exfiltration; no patch exists at time of publication and no public exploit has been identified.
SSRF in Koel's radio station creation endpoint (POST /api/radio/stations) allows any authenticated non-admin user to coerce the server into issuing HEAD/GET requests to arbitrary internal hosts. The root cause is a missing Laravel `bail` keyword in the URL field validation chain: the SafeUrl rule correctly rejects private/reserved addresses, but without bail, the subsequent HasAudioContentType rule still executes and makes an outbound HTTP request to the attacker-supplied URL. Vendor-released patch version 9.7.1 resolves the issue; no public exploit or CISA KEV listing exists at time of analysis.
Server-Side Request Forgery in GeoServer 2.26.x prior to 2.26.4 and 2.27.x prior to 2.27.3 allows unauthenticated remote attackers to coerce the server into issuing HTTP requests to attacker-chosen destinations by abusing weak prefix matching of the proxy base URL inside the XML entity resolver. No public exploit identified at time of analysis, and EPSS exploitation probability sits at 0.06% (19th percentile), but the trivial network-only attack vector and default-enabled ENTITY_RESOLUTION_ALLOWLIST since 2.25.0 raise the realistic exposure for internet-facing instances.
Server-side request forgery in OpenClaw's Playwright-backed browser control allows authenticated low-privilege users to circumvent private-network navigation guards by chaining action-triggered redirects through the Playwright act interaction mechanism. All OpenClaw versions prior to 2026.5.18 are affected, and subsequent browser evaluation APIs can be abused to read the content of private-network pages - including internal services, admin panels, or cloud metadata endpoints reachable from the server. No public exploit code and no CISA KEV listing have been identified at time of analysis; however, the subsequent-system confidentiality impact is rated High in the CVSS 4.0 vector, reflecting meaningful data-disclosure potential in cloud-hosted or internally networked deployments.
Server-side request forgery in steipete/Summarize before v0.17.0 enables an attacker who controls a podcast RSS feed to coerce the application into fetching transcript content from loopback addresses, link-local addresses, RFC 1918 private ranges, and other reserved destinations. The vulnerability is compounded by two bypass mechanisms: DNS rebinding (allowing an attacker to pass an initial hostname check then resolve to an internal target) and unvalidated redirect-following (where intermediate redirect targets are never re-screened). Exploitation exposes internal service responses through the summarization pipeline to the attacker. No active exploitation is confirmed (not in CISA KEV), and no public exploit code has been identified; a vendor patch is available as v0.17.0.
Server-side request forgery in Garlic-Hub digital signage manager prior to version 1.1 allows authenticated users to coerce the server into issuing arbitrary HTTP requests to internal services via the uploadFromUrl endpoint. Responses are stored in the publicly accessible media pool, enabling internal port scanning, service fingerprinting, and exfiltration of internal HTTP responses. No public exploit identified at time of analysis, but the upstream commit (076b6d7) and GHSA-x24v-76hr-989r advisory disclose the patched validator logic.
Server-side request forgery in the Fediverse Embeds WordPress plugin before 1.5.8 lets any unauthenticated visitor coerce the WordPress host into issuing arbitrary outbound HTTP requests and returns the full response body to the caller, turning the site into a full-read open proxy. The flaw stems from the ftf/media-proxy REST route being registered with permission_callback => __return_true and a dead allowlist check whose result was never honored before wp_remote_get was invoked on a base64-decoded attacker-supplied URL. No public exploit identified at time of analysis, but the bug is trivial to weaponize against internal cloud metadata endpoints and intranet services from any reachable WordPress install.
Server-Side Request Forgery in the Fediverse Embeds WordPress plugin (versions prior to 1.5.9) allows any unauthenticated visitor to cause the WordPress server to fetch an arbitrary URL by abusing a publicly exposed AJAX endpoint. The nonce mechanism guarding the endpoint (`ftf-fediverse-embeds-nonce`) is not an authentication boundary - the same nonce is embedded into every public page containing a fediverse embed, making it trivially obtainable by any site visitor. Once obtained, the nonce can be replayed to invoke `file_get_html($site_url)` with an attacker-controlled URL, potentially exposing internal services such as cloud provider metadata endpoints. No active exploitation has been confirmed (CVE is not in CISA KEV) and no public proof-of-concept has been identified at time of analysis.
Server-side request forgery in Kolibri (pip/kolibri <= 0.19.3) allows network-reachable attackers to force the Kolibri server to issue outbound HTTP requests to arbitrary internal hosts, cloud metadata endpoints, and internal services, with JSON response bodies reflected directly to the caller. The primary GET endpoint at /api/auth/remotefacilityuser required no authentication whatsoever, making this exploitable by any party with network access to the Kolibri server. A working proof-of-concept was retained internally by the reporting researcher but was not published; no public exploit code exists and CISA KEV listing has not been identified at time of analysis.
Server-side request forgery in IBM Langflow Desktop 1.0.0 through 1.9.2 enables authenticated network-based attackers to coerce the application into issuing arbitrary outbound HTTP requests on their behalf. The vulnerability, classified under CWE-918, can expose internal network topology by proxying requests through the server to otherwise inaccessible hosts, and may serve as a stepping stone for further lateral movement or credential harvesting from cloud metadata services. No public exploit code has been identified at time of analysis, and a vendor-released patch is available via IBM advisory.
Server-Side Request Forgery (SSRF) in GitLab CE/EE's repository import feature allows an authenticated low-privileged user to read arbitrary files from the backend Gitaly server and probe internal network resources by supplying maliciously crafted secondary URLs that bypass input validation. Affected versions span the 18.10, 18.11, and 19.0 release lines, all patched by GitLab on 2026-06-10. No public exploit code and no CISA KEV listing have been identified at time of analysis, though the combination of authentication-only gating and network-accessible entry point makes this a meaningful lateral-movement risk in self-managed GitLab deployments.
Server-Side Request Forgery in Spring Web Services (versions 3.1.0-3.1.8, 4.0.0-4.0.18, 4.1.0-4.1.3, and 5.0.0-5.0.1) allows remote unauthenticated attackers to coerce the server into initiating outbound HTTP connections to attacker-controlled or internal destinations by abusing WS-Addressing ReplyTo/FaultTo headers. The flaw stems from WebServiceMessageSender instances dispatching to destinations taken directly from SOAP request headers without validating that the targets are safe. No public exploit identified at time of analysis, and the issue is not listed in CISA KEV.
Server-Side Request Forgery in the Fedify ActivityPub library (versions 0.11.2 through 2.2.3, with branch-specific cutoffs) allows remote attackers to coerce outbound fetches to non-public IPv4 destinations because the `isValidPublicIPv4Address()` allow-list misses several reserved, multicast, benchmarking, and CGNAT ranges. This is an incomplete-fix bypass of the SSRF mitigation originally tracked as GHSA-p9cg-vqcc-grcx, and at time of analysis there is no public exploit identified, though the underlying logic and patch diff are publicly disclosed in the GHSA-xw9q-2mv6-9fr8 advisory. Federated servers built on Fedify are exposed whenever they fetch attacker-controlled ActivityPub documents or media.