SSRF
Monthly
Mozilla's Embed extension contains a domain allowlist bypass in the DomainFilteringAdapter due to insufficient hostname boundary validation in its regex pattern, allowing attacker-controlled domains like youtube.com.evil to pass validation checks for youtube.com. This vulnerability enables Server-Side Request Forgery attacks via the OscaroteroEmbedAdapter to probe internal services, and Cross-Site Scripting attacks through unsanitized oEmbed HTML responses returned by compromised domains. No patch is currently available for this medium-severity flaw.
A Host Header Spoofing vulnerability in the @local_check decorator of pyload-ng allows unauthenticated external attackers to bypass local-only IP address restrictions on the Click'N'Load API endpoints by sending a crafted HTTP Host header. This authentication bypass enables remote attackers to queue arbitrary downloads on the affected pyload instance, leading to Server-Side Request Forgery (SSRF) attacks against internal or external systems and Denial of Service through resource exhaustion. A proof-of-concept exploit exists in the form of a simple curl command that demonstrates immediate exploitability without user interaction.
The BulkEmbed plugin in AVideo fails to validate thumbnail URLs in its save endpoint, allowing authenticated attackers to conduct Server-Side Request Forgery (SSRF) attacks and retrieve responses from internal network resources. An attacker can supply malicious URLs via the bulk embed feature to force the server to make HTTP requests to internal systems and view the cached thumbnail responses. This vulnerability affects PHP-based AVideo installations and requires authentication to exploit.
BMC FootPrints ITSM contains a blind server-side request forgery (SSRF) vulnerability in the externalfeed/RSS API component that allows authenticated attackers to trigger arbitrary outbound requests from the server. Affected versions range from 20.20.02 through 20.24.01.001, and attackers can exploit insufficient validation of externally supplied resource references to interact with internal services or cause resource exhaustion impacting availability. The vulnerability carries a CVSS score of 4.3 with low complexity and low attack vector, requiring only authentication; no active exploitation in the wild has been confirmed, but the disclosure references suggest potential chaining with pre-authentication RCE vectors documented by security researchers.
A blind server-side request forgery (SSRF) vulnerability exists in the searchWeb API component of BMC FootPrints ITSM versions 20.20.02 through 20.24.01.001, allowing authenticated attackers to cause the server to initiate arbitrary outbound requests through improper URL validation. Attackers can exploit this to perform internal network scanning or interact with internal services, potentially impacting system availability and confidentiality. A publicly available proof-of-concept exists, and vendor patches are available.
The AVideo Scheduler plugin fails to validate callback URLs against Server-Side Request Forgery (SSRF) protections, allowing authenticated administrators to configure scheduled tasks that make HTTP requests to internal networks, cloud metadata services, and private IP ranges. An attacker with admin access can retrieve AWS/GCP/Azure instance metadata credentials (including IAM role tokens) or probe internal APIs not exposed to the internet. A proof-of-concept exists demonstrating credential extraction from AWS metadata endpoints at 169.254.169.254.
An XML External Entity (XXE) vulnerability in the XMLUtils.java component of Slovensko.Digital Autogram allows remote unauthenticated attackers to conduct Server-Side Request Forgery (SSRF) attacks and read local files from the filesystem. The vulnerability affects Autogram software and can be exploited when a victim visits a specially crafted website that sends malicious XML to the application's local HTTP server /sign endpoint. A blog post detailing exploitation research is publicly available, increasing the likelihood of exploitation attempts.
OpenClaw versions prior to 2026.3.1 contain a server-side request forgery (SSRF) vulnerability in the web_search citation redirect resolution component that permits requests to private network ranges. Authenticated attackers with low privileges can manipulate citation redirect targets to force the OpenClaw server to make requests to loopback addresses, private networks, or internal infrastructure, potentially accessing sensitive internal services or data. The vulnerability has a CVSS score of 7.4 with changed scope, indicating potential lateral movement beyond the vulnerable component.
Wgcloud v3.6.3's database connection test feature contains a server-side request forgery (SSRF) vulnerability that allows unauthenticated remote attackers to probe internal networks and retrieve malicious files. An attacker can exploit this high-severity flaw to conduct reconnaissance on network infrastructure and facilitate further compromise, though no patch is currently available.
Kan, an open-source project management tool, contains a Server-Side Request Forgery (SSRF) vulnerability in its unauthenticated /api/download/attatchment endpoint in versions 0.5.4 and below. Attackers can exploit this to make arbitrary HTTP requests from the server to internal services, cloud metadata endpoints (such as AWS EC2 metadata at 169.254.169.254), or private network resources without any authentication. With a CVSS score of 8.6 (High) reflecting network-based attack vector, low complexity, and no privileges required, this poses significant risk for confidentiality breaches in affected deployments.
Budibase, a low-code platform distributed as a Docker/Kubernetes application, contains a Server-Side Request Forgery (SSRF) vulnerability in its REST datasource query preview endpoint. Authenticated admin users can force the server to make HTTP requests to arbitrary URLs including cloud metadata services, internal networks, and Kubernetes APIs. A detailed proof-of-concept exists demonstrating theft of GCP OAuth2 tokens with cloud-platform scope, CouchDB credential extraction, and internal service enumeration. The CVSS score of 8.7 reflects high confidentiality and integrity impact with changed scope, requiring high privileges but low attack complexity.
PinchTab contains a Server-Side Request Forgery (SSRF) vulnerability in its /download endpoint that allows unauthenticated attackers to bypass URL validation and cause the embedded Chromium browser to make requests to internal network services. The vulnerability affects PinchTab versions 0.7.x and 0.8.x when the security.allowDownload setting is enabled (disabled by default), and exploits a validation gap where only the initial user-supplied URL is checked while subsequent browser-initiated requests (redirects, JavaScript navigations, resource fetches) bypass this protection entirely. Although the attacker cannot receive response bodies from internal services (blind SSRF), they can trigger state-changing endpoints on localhost or private network addresses reachable from the PinchTab host, with a proof-of-concept publicly available demonstrating counter increments on internal services.
The @aborruso/ckan-mcp-server MCP server contains a Server-Side Request Forgery (SSRF) vulnerability in its ckan_package_search, sparql_query, and ckan_datastore_search_sql tools, which accept an arbitrary base_url parameter without validation, allowing attackers to scan internal networks, exfiltrate cloud metadata credentials (including IAM tokens from 169.254.169.254), and potentially execute injection attacks. The vulnerability affects the npm package @aborruso/ckan-mcp-server (pkg:npm/@aborruso/ckan-mcp-server) and requires prompt injection to exploit, making attack complexity high; a proof-of-concept exists demonstrating 9 unthrottled HTTP requests to a canary endpoint, and patch availability exists from the vendor.
A remote code execution vulnerability in A flaw (CVSS 5.8) that allows an attacker. Remediation should follow standard vulnerability management procedures.
OpenClaw versions prior to 2026.3.2 contain a DNS pinning bypass vulnerability that allows authenticated attackers to circumvent SSRF (Server-Side Request Forgery) protections by exploiting environment proxy variable configuration. When HTTP_PROXY, HTTPS_PROXY, or ALL_PROXY environment variables are present, attackers can route malicious URLs through proxy mechanisms instead of pinned-destination routing, enabling access to internal resources that should be protected. The vulnerability requires low privilege (PR:L) and non-interactive attack (UI:N) with medium attack complexity (AC:H), resulting in high confidentiality impact (C:H) and lesser integrity and availability impact. A patch is available from the vendor.
A Server-Side Request Forgery (SSRF) vulnerability in AVideo's LiveLinks proxy endpoint allows unauthenticated attackers to access internal services and cloud metadata by exploiting missing validation on HTTP redirect targets. The vulnerability enables attackers to bypass initial URL validation through a malicious redirect, potentially exposing AWS/GCP/Azure instance metadata including IAM credentials. A detailed proof-of-concept is available and a patch has been released by the vendor.
A flaw was found in libsoup, a library used by applications to send network requests.
A Server-Side Request Forgery (SSRF) vulnerability exists in frdel/agent-zero version 0.9.7 within the handle_pdf_document function of python/helpers/document_query.py. This allows authenticated remote attackers to manipulate PDF document handling to perform arbitrary server-side requests, potentially accessing internal services or exfiltrating sensitive data. A public proof-of-concept exploit is available, and the vendor has not responded to early disclosure notifications, increasing the practical risk of exploitation.
The PPT File Handler in taoofagi easegen-admin contains a server-side request forgery vulnerability in the downloadFile function that allows authenticated remote attackers to manipulate file URLs and access arbitrary network resources. Public exploit code exists for this vulnerability, and the vendor has not provided patches or updates despite notification. The flaw affects Java-based deployments using the affected rolling release version.
An unauthenticated Server-Side Request Forgery (SSRF) and Local File Read vulnerability exists in the Admidio SSO metadata fetch endpoint, which accepts arbitrary URLs via GET parameter and passes them directly to file_get_contents() after validating only with PHP's FILTER_VALIDATE_URL-a format checker that does not block dangerous URI schemes. An authenticated administrator can exploit this to read arbitrary local files (including database credentials from config.php), probe internal network services, or fetch cloud instance metadata (such as AWS IAM credentials from 169.254.169.254). A proof-of-concept demonstrating all attack vectors has been published; CVSS 6.8 reflects high confidentiality impact but is mitigated by the requirement for administrator privileges.
Mattermost Server versions 11.3.0, 11.2.x through 11.2.2, and 10.11.x through 10.11.10 contain a server-side request forgery (SSRF) vulnerability due to improper validation of IPv4-mapped IPv6 addresses, allowing authenticated attackers to bypass reserved IP restrictions and access internal services. An attacker with login credentials can craft requests using IPv6 notation (such as [::ffff:127.0.0.1]) to reach localhost or other restricted internal endpoints that would normally be blocked. No patch is currently available for this vulnerability.
Java URL parsing in Spinnaker's clouddriver and Orca components fails to properly validate URLs containing underscores, allowing authenticated attackers to bypass URL sanitation controls and potentially execute arbitrary code or access unauthorized resources. This vulnerability affects both the clouddriver artifact handling and Orca fromUrl expression evaluation in versions prior to 2025.2.4, 2025.3.1, 2025.4.1, and 2026.0.0. Patched versions are available, and affected deployments can temporarily disable the vulnerable components as a workaround.
Raytha CMS contains a Server-Side Request Forgery (SSRF) vulnerability in its Theme Import from URL feature that allows authenticated high-privilege users to manipulate server-side HTTP requests to arbitrary destinations. An attacker with administrative or similar elevated privileges can leverage this to redirect the CMS server's outbound requests to internal systems, external resources, or arbitrary URLs, potentially leading to information disclosure or lateral movement attacks. The vulnerability affects versions prior to 1.4.6 and is fixed in version 1.4.6 and later.
Server-side request forgery in Vanna AI versions up to 2.0.2 allows unauthenticated remote attackers to manipulate the update_sql and run_sql endpoints in the Flask component. Public exploit code exists for this vulnerability, and no patch is currently available from the vendor despite early notification.
Server-side request forgery in FlowCI flow-core-x up to version 1.23.01 allows authenticated remote attackers to conduct SSRF attacks through the SMTP Host Handler configuration function. Public exploit code exists for this vulnerability and the vendor has not released a patch. An attacker with valid credentials can manipulate the system to make arbitrary outbound requests from the affected server.
Server-side request forgery in Glowxq OJ's test case upload functionality (ProblemCaseController.java) allows unauthenticated remote attackers to make arbitrary network requests from the affected server. Public exploit code is available and the vulnerability remains unpatched, with the vendor unresponsive to disclosure attempts.
SSRF in Centrifugo real-time messaging before 6.7.0.
A Server-Side Request Forgery (SSRF) vulnerability exists in Gift Up! Gift Cards for WordPress and WooCommerce plugin versions up to 3.1.7, allowing unauthenticated attackers to make arbitrary HTTP requests from the vulnerable server. This could enable attackers to access internal services, scan internal networks, or exfiltrate sensitive data from systems accessible only to the server. The vulnerability has a CVSS score of 5.4 (Medium) with network-based attack vector and low impact on confidentiality and integrity.
Simple Blog Card versions 2.37 and earlier contain a Server-Side Request Forgery vulnerability that allows authenticated attackers to make arbitrary requests from the affected server. An attacker with login credentials can leverage this to access internal resources, interact with backend services, or potentially exfiltrate sensitive data. No patch is currently available for this vulnerability.
MailerPress through version 1.4.2 contains a server-side request forgery (SSRF) vulnerability that allows authenticated attackers to make arbitrary network requests from the affected server. An attacker with valid credentials could exploit this to access internal services, scan the network, or interact with backend systems. No patch is currently available for this vulnerability.
Embed PDF Viewer through version 2.4.7 contains a server-side request forgery (SSRF) vulnerability that allows authenticated attackers to make arbitrary network requests from the affected server. An attacker with valid credentials could potentially access internal resources or services not otherwise exposed to the internet. No patch is currently available for this vulnerability.
A Server-Side Request Forgery (SSRF) vulnerability exists in `@backstage/plugin-auth-backend` when `auth.experimentalClientIdMetadataDocuments.enabled` is set to `true`. The CIMD metadata fetch validates the initial `client_id` hostname against private IP ranges but does not apply the same validation after HTTP redirects. The practical impact is limited. The attacker cannot read the response body from the internal request, cannot control request headers or method, and the feature must be explicitly enabled via an experimental flag that is off by default. Deployments that restrict `allowedClientIdPatterns` to specific trusted domains are not affected. Patched in `@backstage/plugin-auth-backend` version `0.27.1`. The fix disables HTTP redirect following when fetching CIMD metadata documents. Disable the experimental CIMD feature by removing or setting `auth.experimentalClientIdMetadataDocuments.enabled` to `false` in your app-config. This is the default configuration. Alternatively, restrict `allowedClientIdPatterns` to specific trusted domains rather than using the default wildcard pattern. - [IETF Client ID Metadata Document draft](https://datatracker.ietf.org/doc/draft-ietf-oauth-client-id-metadata-document/) - [MCP Authorization Specification - Client ID Metadata Documents](https://modelcontextprotocol.io/specification/2025-11-25/basic/authorization#client-id-metadata-documents)
OpenCTI versions prior to 6.8.16 contain a server-side request forgery vulnerability in the data ingestion feature that fails to validate user-supplied URLs, allowing authenticated attackers to send requests to arbitrary internal endpoints and services. The Axios HTTP client's permissive default configuration processes absolute URLs without restriction, enabling semi-blind SSRF attacks that can compromise internal systems despite limited response visibility. This vulnerability requires authentication but affects all deployments running vulnerable versions.
Server-side request forgery in wvp-GB28181-pro up to version 2.7.4-20260107 allows authenticated attackers to manipulate the MediaServer.streamIp parameter in the IP Address Handler component, enabling arbitrary network requests from the affected server. Public exploit code exists for this vulnerability, and the vendor has not provided a patch or response to the disclosure.
Server-side request forgery in zyddnys manga-image-translator through beta-0.3 allows authenticated remote attackers to forge requests via the to_pil_image function in the Translate Endpoints component. The vulnerability has been publicly disclosed with exploit code available, though the vendor has not yet released a patch or responded to notification.
Woahai321 ListSync versions up to 0.6.6 contain a server-side request forgery vulnerability in the JSON handler component that allows authenticated remote attackers to make arbitrary HTTP requests from the affected server. Public exploit code exists for this vulnerability, and the vendor has not yet responded to the disclosure. An attacker with valid credentials can leverage this to access internal resources or attack systems on the server's network.
Blind SSRF in 2FAuth 2FA manager before 6.1.0.
The ha-mcp OAuth consent form (beta feature) accepts a user-supplied `ha_url` and makes a server-side HTTP request to `{ha_url}/api/config` with no URL validation. An unauthenticated attacker can submit arbitrary URLs to perform internal network reconnaissance via an error oracle. Two additional code paths in OAuth tool calls (REST and WebSocket) are affected by the same primitive. The primary deployment method (private URL with pre-configured `HOMEASSISTANT_TOKEN`) is not affected. **Code path 1 - Consent form validation** (reported) When a user submits the OAuth consent form, `_validate_ha_credentials()` (`provider.py`) makes a server-side GET request to `{ha_url}/api/config` with no scheme, IP, or domain validation. Different exception types produce distinct error messages, creating an error oracle: | Outcome | Message returned | Information leaked | |---------|------------------|--------------------| | `ConnectError` | "Could not connect..." | Host down or port closed | | `TimeoutException` | "Connection timed out..." | Host up, port filtered | | HTTP 401 | "Invalid access token..." | Service alive, requires auth | | HTTP 403 | "Access forbidden..." | Service alive, forbidden | | HTTP ≥ 400 | "Failed to connect: HTTP {N}" | Service alive, exact status | An attacker can drive the flow programmatically: register a client via open DCR (`POST /register`), initiate authorization, extract a `txn_id`, and submit arbitrary `ha_url` values. No user interaction required. **Code path 2 - REST tool calls with forged token** OAuth access tokens are stateless base64-encoded JSON payloads (`{"ha_url": "...", "ha_token": "..."}`). Since tokens are not signed, an attacker can forge a token with an arbitrary `ha_url`. REST tool calls then make HTTP requests to hardcoded HA API paths on that host (`/config`, `/states`, `/services`, etc.). JSON responses are returned to the caller. In practice, path control is limited - most endpoints use absolute paths that ignore the `ha_url` path component. Useful exfiltration requires the target to return JSON at HA API paths, which is unlikely for non-HA services. **Code path 3 - WebSocket tool calls with forged token** The same forged token triggers WebSocket connections to `ws://{ha_url}/api/websocket`. The client follows the HA WebSocket handshake protocol (waits for `auth_required`, sends `auth`, expects `auth_ok`). Non-HA targets fail at the protocol level and return nothing useful. Realistic exploitation is limited to pivoting to another HA instance on the internal network. **Confirmed:** Internal network reconnaissance via error oracle (all 3 code paths). An attacker can map reachable hosts and open ports from the server's network position. OAuth mode is a **beta** feature, documented separately in `docs/OAUTH.md` and not part of the main setup instructions. The standard deployment method (pre-configured `HOMEASSISTANT_URL` and `HOMEASSISTANT_TOKEN`) is not affected. Upgrade to 7.0.0
High severity vulnerability in SiYuan Note. # The `/api/network/forwardProxy` endpoint allows authenticated users to make arbitrary HTTP requests from the server. The endpoint accepts a user-controlled URL and makes HTTP requests to it, returning the full response body and headers. There is no URL validation to prevent requests to internal networks, localhost, or cloud metadata services.
SSRF in Plunk email platform before 0.7.0.
OpenProject is an open-source, web-based project management software. Prior to 17.2.0, OpenProject SMTP test endpoint (POST /admin/settings/mail_notifications) accepts arbitrary host and port values and exhibits measurable differences in response behaviour depending on whether the target IP exists and whether the port is open. An attacker with access can use these timing and error distinctions to map internal hosts and identify which services/ports are reachable. Similarly, you can create web...
Quill before v0.7.1 contains a server-side request forgery vulnerability in its Apple notarization log retrieval functionality that fails to validate URL schemes and destination hosts. Exploitation requires an attacker to intercept or modify API responses, making it primarily a threat in environments with TLS-intercepting proxies, compromised certificate authorities, or other trust boundary violations. An attacker could redirect notarization requests to internal or multicast addresses, potentially exposing sensitive information or accessing restricted resources.
Frappe is a full-stack web application framework. versions up to 14.100.1 is affected by server-side request forgery (ssrf) (CVSS 5.0).
An issue pertaining to CWE-918: Server-Side Request Forgery was discovered in Sunbird-Ed SunbirdEd-portal v1.13.4. This allows attackers to obtain sensitive information [CVSS 7.5 HIGH]
Server-side request forgery in multiple Adobe Commerce versions allows high-privileged attackers to bypass security controls by manipulating internal server requests without user interaction. Affected versions include 2.4.9-alpha3, 2.4.8-p3, 2.4.7-p8, 2.4.6-p13, 2.4.5-p15, and 2.4.4-p16 or earlier. No patch is currently available.
Server-side request forgery in Adobe Commerce 2.4.4 through 2.4.9-alpha3 enables high-privileged attackers to bypass security controls and access unauthorized resources without user interaction. The vulnerability affects multiple versions across the Commerce and Commerce B2B product lines, allowing manipulation of internal server requests from an authenticated administrative context. No patch is currently available.
Flowise versions prior to 3.0.13 allow unauthenticated users to trigger Server-Side Request Forgery (SSRF) attacks through improperly validated URLs in the HTTP Node component, enabling attackers to probe internal networks and cloud metadata endpoints from the Flowise server. Public exploit code exists for this vulnerability, and no patch is currently available for affected deployments. Any organization running a publicly exposed Flowise instance is at immediate risk of internal network reconnaissance and potential credential theft from cloud environments.
Server-side request forgery in LinkAce allows authenticated users to make arbitrary HTTP requests to internal network addresses and cloud metadata endpoints by providing malicious URLs during link creation, bypassing validation controls that exist elsewhere in the application. An attacker with valid credentials can exploit this to access Docker service hostnames, internal services, and sensitive metadata endpoints. No patch is currently available for this vulnerability affecting PHP-based LinkAce deployments.
pdfmake versions 0.3.0-beta.2 through 0.3.5 contain a server-side request forgery vulnerability in the URLResolver component that allows unauthenticated remote attackers to access sensitive information through crafted URL requests. Affected applications using vulnerable versions without proper URL access controls are at risk of information disclosure. No patch is currently available, though version 0.3.6 introduces URL access policy controls to mitigate the risk.
Azure IoT Explorer is vulnerable to server-side request forgery that enables unauthenticated network-based attackers to perform spoofing attacks and access sensitive information. The vulnerability requires no user interaction and can be exploited remotely with low attack complexity, affecting the confidentiality of exposed data. No patch is currently available.
Authenticated users can exploit a server-side request forgery vulnerability in Azure MCP Server to escalate their privileges across the network, potentially gaining unauthorized access to sensitive resources. The vulnerability affects Microsoft Azure environments and requires only low attack complexity with no user interaction, making it a significant risk for organizations using this service. No patch is currently available, leaving affected systems exposed to exploitation.
SAP NetWeaver Application Server for ABAP contains a server-side request forgery vulnerability in a built-in ABAP testing report that allows authenticated attackers to send HTTP requests to arbitrary internal or external endpoints. Successful exploitation could enable reconnaissance of sensitive internal systems and potential data exfiltration, though availability is not impacted. Currently, no patch is available for this vulnerability.
vLLM 0.17.0 contains a Server-Side Request Forgery (SSRF) vulnerability where inconsistent URL parsing between the validation layer (urllib3) and the HTTP client (aiohttp/yarl) allows authenticated attackers to bypass SSRF protections and make requests to internal resources. An attacker with valid credentials can craft malicious URLs to access restricted endpoints or internal services that should be blocked by the SSRF mitigation implemented in version 0.15.1.
IKEA Dirigera v2.866.4 contains a server-side request forgery vulnerability that enables authenticated attackers with high privileges to extract private cryptographic keys through specially crafted requests. The vulnerability impacts the confidentiality of sensitive authentication material while also introducing integrity and availability risks, though no patch is currently available.
SSRF vulnerability in ThermaKube Kubernetes monitoring tool allows server-side requests to internal services.
Server-side request forgery in Bytedesk versions up to 1.3.9 allows authenticated attackers to manipulate the apiUrl parameter in the SpringAIGiteeRestService component, enabling them to make arbitrary network requests from the affected server. Public exploit code exists for this vulnerability, which requires valid user credentials to exploit. Users should upgrade to version 1.4.5.4 or later to remediate the issue.
Server-side request forgery in Bytedesk versions up to 1.3.9 allows authenticated attackers to manipulate the apiUrl parameter in the SpringAIOpenrouterRestController, enabling arbitrary HTTP requests from the affected server. Public exploit code exists for this vulnerability, increasing the risk of active exploitation. Upgrading to version 1.4.5.4 or later resolves this issue.
ContiNew Admin up to version 4.2.0 contains a server-side request forgery vulnerability in its Storage Management Module that allows remote attackers to manipulate URI creation functions with high privileges. Public exploit code exists for this vulnerability, and no patch is currently available from the vendor despite early disclosure notification.
XXL-Job versions up to 3.3.2 contain a server-side request forgery vulnerability in the JobInfoController that allows authenticated attackers to make arbitrary HTTP requests from the server due to insufficient access token validation. An attacker with valid credentials can exploit this remotely to conduct SSRF attacks against internal systems. Public exploit code exists for this vulnerability, and no patch is currently available.
Server-side request forgery in bufanyun HotGo's ImageTransferStorage endpoint allows authenticated attackers to initiate arbitrary outbound requests from the vulnerable server. Public exploit code exists for this vulnerability, and the vendor has not provided patches or updates.
Server-side request forgery in welovemedia FFmate through version 2.0.15 allows authenticated remote attackers to manipulate the fireWebhook function and force the server to make arbitrary HTTP requests. Public exploit code exists for this vulnerability, and the vendor has not provided a patch despite early notification.
PinchTab is a standalone HTTP server that gives AI agents direct control over a Chrome browser. [CVSS 7.5 HIGH]
Server-side request forgery in Wallos versions before 4.6.2 allows authenticated attackers to conduct arbitrary network requests through the notification tester functionality. An attacker with user privileges can exploit this to access internal services, retrieve sensitive data, or interact with backend systems on behalf of the server. Public exploit code exists for this vulnerability, though a patch is available in version 4.6.2.
Wallos versions prior to 4.6.2 contain a server-side request forgery (SSRF) vulnerability in the webhook notification testing function that fails to restrict requests to private IP ranges, allowing authenticated attackers to read internal server responses. Public exploit code exists for this vulnerability. The vulnerability affects Wallos and has been patched in version 4.6.2.
Unauthenticated Server-Side Request Forgery in Homarr versions before 1.54.0 enables remote attackers to initiate arbitrary outbound HTTP requests from the server, potentially accessing internal network resources and private IP ranges. Public exploit code exists for this vulnerability. The issue is resolved in version 1.54.0 and later.
WeKnora's document import feature is vulnerable to Server-Side Request Forgery through HTTP redirects, allowing unauthenticated remote attackers to bypass URL validation controls and access internal services despite backend protections against private IPs and metadata endpoints. The vulnerability affects WeKnora versions prior to 0.2.12 when deployed in Docker environments, where host.docker.internal addresses are not blocked. Public exploit code exists and no patch is currently available.
Plane is an an open-source project management tool. [CVSS 8.5 HIGH]
Server-Side Request Forgery in Wekan 8.32-8.33 allows authenticated users to force the server to make arbitrary HTTP requests by supplying malicious attachment URLs during board imports from JSON data or Trello. An attacker could exploit this to access internal network services, cloud metadata endpoints, or expose sensitive credentials without any URL validation occurring on the server side.
Lemmy, a link aggregator and forum for the fediverse, is vulnerable to server-side request forgery via a dependency on activitypub_federation, a framework for ActivityPub federation in Rust. Prior to version 0.19.16, the GET /api/v4/image/{filename} endpoint is vulnerable to unauthenticated SSRF through parameter injection in the file_type query parameter. An attacker can inject arbitrary query parameters into the internal request to pict-rs, including the proxy parameter which causes pict-rs...
SSRF in Ghostfolio wealth management before 2.245.0. Patch available.
OpenSift versions prior to 1.6.3-alpha are vulnerable to server-side request forgery (SSRF) attacks through the URL ingest pipeline, which fails to properly validate credentialed URLs, non-standard ports, and cross-host redirects in non-localhost deployments. An unauthenticated remote attacker can exploit this to access internal resources and potentially exfiltrate sensitive data from the affected system. No patch is currently available for this vulnerability.
Idno prior to version 1.6.4 contains an authentication bypass in the URL unfurl API endpoint that allows unauthenticated attackers to trigger arbitrary outbound HTTP requests from the server. An attacker can exploit this to access internal network addresses and cloud metadata services, potentially exposing sensitive configuration and credentials. No patch is currently available for affected installations.
OpenClaw versions before 2026.2.14 fail to validate base URLs in the Tlon Urbit extension, allowing attackers to trigger server-side request forgery attacks that direct the gateway to arbitrary hosts, including internal systems. This network-accessible vulnerability requires no authentication and can result in information disclosure and service disruption. No patch is currently available.
OpenClaw prior to version 2026.2.2 is vulnerable to server-side request forgery through its attachment and media URL processing, allowing unauthenticated remote attackers to make arbitrary HTTP requests to internal resources. Attackers can exploit model-controlled message features to trigger the SSRF and exfiltrate response data as outbound attachments. Public exploit code exists for this vulnerability.
OpenClaw versions before 2026.2.14 contain unprotected server-side request forgery flaws in the Feishu extension that enable remote attackers to access internal services and exfiltrate data without authentication. Attackers can exploit the sendMediaFeishu function and markdown image processing through direct manipulation or prompt injection to force the application to fetch attacker-controlled URLs and re-upload responses as Feishu media. A patch is available to remediate this network-accessible vulnerability affecting AI/ML deployments.
Twenty CRM versions prior to 1.18 allow authenticated users to bypass SSRF protections by exploiting unvalidated HTTP redirect targets, enabling access to private IP addresses through attacker-controlled intermediaries. An attacker with control over webhook endpoints or image URLs can leverage this vulnerability to reach restricted internal resources that would normally be blocked.
SkatDesign Ratatouille versions up to 1.2.6 contain a server-side request forgery vulnerability that allows authenticated attackers to make arbitrary HTTP requests from the affected system. An attacker with valid credentials can leverage this flaw to access internal services, retrieve sensitive information, or perform actions on behalf of the server across different security domains. No patch is currently available for this medium-severity vulnerability.
The @opennextjs/cloudflare package is vulnerable to Server-Side Request Forgery (SSRF) through a path normalization bypass in the /cdn-cgi/image/ handler, where attackers can use backslash substitution to evade edge interception and trigger arbitrary remote URL fetches. This affects production deployments that rely on Cloudflare's edge to block such requests, allowing attackers to access internal resources or perform outbound requests to attacker-controlled servers. A patch is available.
Code injection bypass in Craft CMS before 5.9.0-beta.1/4.17.0-beta.1 via blocklist evasion. Patch available.
The PostX WordPress plugin versions up to 5.0.8 contains a server-side request forgery vulnerability in its REST API endpoints that allows authenticated administrators to make arbitrary web requests from the server to internal or external systems. This could enable attackers with admin privileges to query, exfiltrate, or modify data from internal services accessible to the web server. No patch is currently available for this vulnerability.
Homebox prior to 0.24.0-rc.1 allows authenticated users to trigger HTTP POST requests to arbitrary destinations through the notifier feature without host or port validation, enabling attackers to enumerate internal services by observing application behavior differences based on network responses. The vulnerability affects all users with authentication access to the notifier functionality and carries a medium risk due to its reliance on behavioral side-channels rather than direct information disclosure.
Server-Side Request Forgery in the Uncanny Automator WordPress plugin up to version 7.0.0.3 allows authenticated administrators to make arbitrary web requests from the affected server and store remote file contents locally, potentially enabling remote code execution. The vulnerability requires administrator-level privileges and has no available patch. Attackers can exploit this to interact with internal services and upload arbitrary files to the web server.
Chamilo LMS prior to 1.11.30 has a blind SSRF vulnerability enabling internal network reconnaissance from the learning platform.
Chamilo is a learning management system. Prior to version 1.11.28, the OpenId function allows anyone to send requests to any URL on server's behalf, which results in unauthenticated blind SSRF. [CVSS 5.3 MEDIUM]
Featured Image from Content (featured-image-from-content) WordPress plugin versions prior to 1.7 contain an authenticated server-side request forgery vulnerability that allows Author-level users to fetch internal HTTP resources.
Server-Side Request Forgery in Gradio prior to version 6.6.0 allows attackers to execute arbitrary HTTP requests through a victim's infrastructure by crafting a malicious Space with a poisoned proxy_url configuration. Applications that load untrusted Gradio Spaces via gr.load() are vulnerable to attacks targeting internal services, cloud metadata endpoints, and private networks. No patch is currently available for affected Python/ML applications.
Kiteworks versions prior to 9.2.0 contain a DNS rebinding vulnerability that allows authenticated administrators to circumvent SSRF protections and access restricted internal services. An attacker with administrative privileges could exploit this misconfiguration to reach backend systems that should be isolated from external access. No patch is currently available for affected deployments.
Xerox FreeFlow Core versions through 8.0.7 contain an XML External Entity (XXE) vulnerability that allows unauthenticated remote attackers to conduct Server-Side Request Forgery attacks by submitting malicious XML input. This vulnerability could enable attackers to access internal resources or sensitive data on the affected system. A patch is currently unavailable, though Xerox recommends upgrading to version 8.1.0.
Server-side request forgery in Paicoding 1.0.0-1.0.3 allows authenticated attackers to manipulate the image upload parameter and trigger arbitrary outbound requests from the affected server. Public exploit code exists for this vulnerability, and the vendor has not provided a patch despite early notification. The attack requires valid credentials but poses risks to internal network reconnaissance and data exfiltration.
Server-side request forgery in PSI Probe up to version 5.3.0 allows authenticated attackers to conduct arbitrary network requests through the Whois lookup function. Public exploit code exists for this vulnerability, and no patch is currently available from the vendor. The flaw requires valid credentials but can be exploited remotely with minimal complexity.
Mozilla's Embed extension contains a domain allowlist bypass in the DomainFilteringAdapter due to insufficient hostname boundary validation in its regex pattern, allowing attacker-controlled domains like youtube.com.evil to pass validation checks for youtube.com. This vulnerability enables Server-Side Request Forgery attacks via the OscaroteroEmbedAdapter to probe internal services, and Cross-Site Scripting attacks through unsanitized oEmbed HTML responses returned by compromised domains. No patch is currently available for this medium-severity flaw.
A Host Header Spoofing vulnerability in the @local_check decorator of pyload-ng allows unauthenticated external attackers to bypass local-only IP address restrictions on the Click'N'Load API endpoints by sending a crafted HTTP Host header. This authentication bypass enables remote attackers to queue arbitrary downloads on the affected pyload instance, leading to Server-Side Request Forgery (SSRF) attacks against internal or external systems and Denial of Service through resource exhaustion. A proof-of-concept exploit exists in the form of a simple curl command that demonstrates immediate exploitability without user interaction.
The BulkEmbed plugin in AVideo fails to validate thumbnail URLs in its save endpoint, allowing authenticated attackers to conduct Server-Side Request Forgery (SSRF) attacks and retrieve responses from internal network resources. An attacker can supply malicious URLs via the bulk embed feature to force the server to make HTTP requests to internal systems and view the cached thumbnail responses. This vulnerability affects PHP-based AVideo installations and requires authentication to exploit.
BMC FootPrints ITSM contains a blind server-side request forgery (SSRF) vulnerability in the externalfeed/RSS API component that allows authenticated attackers to trigger arbitrary outbound requests from the server. Affected versions range from 20.20.02 through 20.24.01.001, and attackers can exploit insufficient validation of externally supplied resource references to interact with internal services or cause resource exhaustion impacting availability. The vulnerability carries a CVSS score of 4.3 with low complexity and low attack vector, requiring only authentication; no active exploitation in the wild has been confirmed, but the disclosure references suggest potential chaining with pre-authentication RCE vectors documented by security researchers.
A blind server-side request forgery (SSRF) vulnerability exists in the searchWeb API component of BMC FootPrints ITSM versions 20.20.02 through 20.24.01.001, allowing authenticated attackers to cause the server to initiate arbitrary outbound requests through improper URL validation. Attackers can exploit this to perform internal network scanning or interact with internal services, potentially impacting system availability and confidentiality. A publicly available proof-of-concept exists, and vendor patches are available.
The AVideo Scheduler plugin fails to validate callback URLs against Server-Side Request Forgery (SSRF) protections, allowing authenticated administrators to configure scheduled tasks that make HTTP requests to internal networks, cloud metadata services, and private IP ranges. An attacker with admin access can retrieve AWS/GCP/Azure instance metadata credentials (including IAM role tokens) or probe internal APIs not exposed to the internet. A proof-of-concept exists demonstrating credential extraction from AWS metadata endpoints at 169.254.169.254.
An XML External Entity (XXE) vulnerability in the XMLUtils.java component of Slovensko.Digital Autogram allows remote unauthenticated attackers to conduct Server-Side Request Forgery (SSRF) attacks and read local files from the filesystem. The vulnerability affects Autogram software and can be exploited when a victim visits a specially crafted website that sends malicious XML to the application's local HTTP server /sign endpoint. A blog post detailing exploitation research is publicly available, increasing the likelihood of exploitation attempts.
OpenClaw versions prior to 2026.3.1 contain a server-side request forgery (SSRF) vulnerability in the web_search citation redirect resolution component that permits requests to private network ranges. Authenticated attackers with low privileges can manipulate citation redirect targets to force the OpenClaw server to make requests to loopback addresses, private networks, or internal infrastructure, potentially accessing sensitive internal services or data. The vulnerability has a CVSS score of 7.4 with changed scope, indicating potential lateral movement beyond the vulnerable component.
Wgcloud v3.6.3's database connection test feature contains a server-side request forgery (SSRF) vulnerability that allows unauthenticated remote attackers to probe internal networks and retrieve malicious files. An attacker can exploit this high-severity flaw to conduct reconnaissance on network infrastructure and facilitate further compromise, though no patch is currently available.
Kan, an open-source project management tool, contains a Server-Side Request Forgery (SSRF) vulnerability in its unauthenticated /api/download/attatchment endpoint in versions 0.5.4 and below. Attackers can exploit this to make arbitrary HTTP requests from the server to internal services, cloud metadata endpoints (such as AWS EC2 metadata at 169.254.169.254), or private network resources without any authentication. With a CVSS score of 8.6 (High) reflecting network-based attack vector, low complexity, and no privileges required, this poses significant risk for confidentiality breaches in affected deployments.
Budibase, a low-code platform distributed as a Docker/Kubernetes application, contains a Server-Side Request Forgery (SSRF) vulnerability in its REST datasource query preview endpoint. Authenticated admin users can force the server to make HTTP requests to arbitrary URLs including cloud metadata services, internal networks, and Kubernetes APIs. A detailed proof-of-concept exists demonstrating theft of GCP OAuth2 tokens with cloud-platform scope, CouchDB credential extraction, and internal service enumeration. The CVSS score of 8.7 reflects high confidentiality and integrity impact with changed scope, requiring high privileges but low attack complexity.
PinchTab contains a Server-Side Request Forgery (SSRF) vulnerability in its /download endpoint that allows unauthenticated attackers to bypass URL validation and cause the embedded Chromium browser to make requests to internal network services. The vulnerability affects PinchTab versions 0.7.x and 0.8.x when the security.allowDownload setting is enabled (disabled by default), and exploits a validation gap where only the initial user-supplied URL is checked while subsequent browser-initiated requests (redirects, JavaScript navigations, resource fetches) bypass this protection entirely. Although the attacker cannot receive response bodies from internal services (blind SSRF), they can trigger state-changing endpoints on localhost or private network addresses reachable from the PinchTab host, with a proof-of-concept publicly available demonstrating counter increments on internal services.
The @aborruso/ckan-mcp-server MCP server contains a Server-Side Request Forgery (SSRF) vulnerability in its ckan_package_search, sparql_query, and ckan_datastore_search_sql tools, which accept an arbitrary base_url parameter without validation, allowing attackers to scan internal networks, exfiltrate cloud metadata credentials (including IAM tokens from 169.254.169.254), and potentially execute injection attacks. The vulnerability affects the npm package @aborruso/ckan-mcp-server (pkg:npm/@aborruso/ckan-mcp-server) and requires prompt injection to exploit, making attack complexity high; a proof-of-concept exists demonstrating 9 unthrottled HTTP requests to a canary endpoint, and patch availability exists from the vendor.
A remote code execution vulnerability in A flaw (CVSS 5.8) that allows an attacker. Remediation should follow standard vulnerability management procedures.
OpenClaw versions prior to 2026.3.2 contain a DNS pinning bypass vulnerability that allows authenticated attackers to circumvent SSRF (Server-Side Request Forgery) protections by exploiting environment proxy variable configuration. When HTTP_PROXY, HTTPS_PROXY, or ALL_PROXY environment variables are present, attackers can route malicious URLs through proxy mechanisms instead of pinned-destination routing, enabling access to internal resources that should be protected. The vulnerability requires low privilege (PR:L) and non-interactive attack (UI:N) with medium attack complexity (AC:H), resulting in high confidentiality impact (C:H) and lesser integrity and availability impact. A patch is available from the vendor.
A Server-Side Request Forgery (SSRF) vulnerability in AVideo's LiveLinks proxy endpoint allows unauthenticated attackers to access internal services and cloud metadata by exploiting missing validation on HTTP redirect targets. The vulnerability enables attackers to bypass initial URL validation through a malicious redirect, potentially exposing AWS/GCP/Azure instance metadata including IAM credentials. A detailed proof-of-concept is available and a patch has been released by the vendor.
A flaw was found in libsoup, a library used by applications to send network requests.
A Server-Side Request Forgery (SSRF) vulnerability exists in frdel/agent-zero version 0.9.7 within the handle_pdf_document function of python/helpers/document_query.py. This allows authenticated remote attackers to manipulate PDF document handling to perform arbitrary server-side requests, potentially accessing internal services or exfiltrating sensitive data. A public proof-of-concept exploit is available, and the vendor has not responded to early disclosure notifications, increasing the practical risk of exploitation.
The PPT File Handler in taoofagi easegen-admin contains a server-side request forgery vulnerability in the downloadFile function that allows authenticated remote attackers to manipulate file URLs and access arbitrary network resources. Public exploit code exists for this vulnerability, and the vendor has not provided patches or updates despite notification. The flaw affects Java-based deployments using the affected rolling release version.
An unauthenticated Server-Side Request Forgery (SSRF) and Local File Read vulnerability exists in the Admidio SSO metadata fetch endpoint, which accepts arbitrary URLs via GET parameter and passes them directly to file_get_contents() after validating only with PHP's FILTER_VALIDATE_URL-a format checker that does not block dangerous URI schemes. An authenticated administrator can exploit this to read arbitrary local files (including database credentials from config.php), probe internal network services, or fetch cloud instance metadata (such as AWS IAM credentials from 169.254.169.254). A proof-of-concept demonstrating all attack vectors has been published; CVSS 6.8 reflects high confidentiality impact but is mitigated by the requirement for administrator privileges.
Mattermost Server versions 11.3.0, 11.2.x through 11.2.2, and 10.11.x through 10.11.10 contain a server-side request forgery (SSRF) vulnerability due to improper validation of IPv4-mapped IPv6 addresses, allowing authenticated attackers to bypass reserved IP restrictions and access internal services. An attacker with login credentials can craft requests using IPv6 notation (such as [::ffff:127.0.0.1]) to reach localhost or other restricted internal endpoints that would normally be blocked. No patch is currently available for this vulnerability.
Java URL parsing in Spinnaker's clouddriver and Orca components fails to properly validate URLs containing underscores, allowing authenticated attackers to bypass URL sanitation controls and potentially execute arbitrary code or access unauthorized resources. This vulnerability affects both the clouddriver artifact handling and Orca fromUrl expression evaluation in versions prior to 2025.2.4, 2025.3.1, 2025.4.1, and 2026.0.0. Patched versions are available, and affected deployments can temporarily disable the vulnerable components as a workaround.
Raytha CMS contains a Server-Side Request Forgery (SSRF) vulnerability in its Theme Import from URL feature that allows authenticated high-privilege users to manipulate server-side HTTP requests to arbitrary destinations. An attacker with administrative or similar elevated privileges can leverage this to redirect the CMS server's outbound requests to internal systems, external resources, or arbitrary URLs, potentially leading to information disclosure or lateral movement attacks. The vulnerability affects versions prior to 1.4.6 and is fixed in version 1.4.6 and later.
Server-side request forgery in Vanna AI versions up to 2.0.2 allows unauthenticated remote attackers to manipulate the update_sql and run_sql endpoints in the Flask component. Public exploit code exists for this vulnerability, and no patch is currently available from the vendor despite early notification.
Server-side request forgery in FlowCI flow-core-x up to version 1.23.01 allows authenticated remote attackers to conduct SSRF attacks through the SMTP Host Handler configuration function. Public exploit code exists for this vulnerability and the vendor has not released a patch. An attacker with valid credentials can manipulate the system to make arbitrary outbound requests from the affected server.
Server-side request forgery in Glowxq OJ's test case upload functionality (ProblemCaseController.java) allows unauthenticated remote attackers to make arbitrary network requests from the affected server. Public exploit code is available and the vulnerability remains unpatched, with the vendor unresponsive to disclosure attempts.
SSRF in Centrifugo real-time messaging before 6.7.0.
A Server-Side Request Forgery (SSRF) vulnerability exists in Gift Up! Gift Cards for WordPress and WooCommerce plugin versions up to 3.1.7, allowing unauthenticated attackers to make arbitrary HTTP requests from the vulnerable server. This could enable attackers to access internal services, scan internal networks, or exfiltrate sensitive data from systems accessible only to the server. The vulnerability has a CVSS score of 5.4 (Medium) with network-based attack vector and low impact on confidentiality and integrity.
Simple Blog Card versions 2.37 and earlier contain a Server-Side Request Forgery vulnerability that allows authenticated attackers to make arbitrary requests from the affected server. An attacker with login credentials can leverage this to access internal resources, interact with backend services, or potentially exfiltrate sensitive data. No patch is currently available for this vulnerability.
MailerPress through version 1.4.2 contains a server-side request forgery (SSRF) vulnerability that allows authenticated attackers to make arbitrary network requests from the affected server. An attacker with valid credentials could exploit this to access internal services, scan the network, or interact with backend systems. No patch is currently available for this vulnerability.
Embed PDF Viewer through version 2.4.7 contains a server-side request forgery (SSRF) vulnerability that allows authenticated attackers to make arbitrary network requests from the affected server. An attacker with valid credentials could potentially access internal resources or services not otherwise exposed to the internet. No patch is currently available for this vulnerability.
A Server-Side Request Forgery (SSRF) vulnerability exists in `@backstage/plugin-auth-backend` when `auth.experimentalClientIdMetadataDocuments.enabled` is set to `true`. The CIMD metadata fetch validates the initial `client_id` hostname against private IP ranges but does not apply the same validation after HTTP redirects. The practical impact is limited. The attacker cannot read the response body from the internal request, cannot control request headers or method, and the feature must be explicitly enabled via an experimental flag that is off by default. Deployments that restrict `allowedClientIdPatterns` to specific trusted domains are not affected. Patched in `@backstage/plugin-auth-backend` version `0.27.1`. The fix disables HTTP redirect following when fetching CIMD metadata documents. Disable the experimental CIMD feature by removing or setting `auth.experimentalClientIdMetadataDocuments.enabled` to `false` in your app-config. This is the default configuration. Alternatively, restrict `allowedClientIdPatterns` to specific trusted domains rather than using the default wildcard pattern. - [IETF Client ID Metadata Document draft](https://datatracker.ietf.org/doc/draft-ietf-oauth-client-id-metadata-document/) - [MCP Authorization Specification - Client ID Metadata Documents](https://modelcontextprotocol.io/specification/2025-11-25/basic/authorization#client-id-metadata-documents)
OpenCTI versions prior to 6.8.16 contain a server-side request forgery vulnerability in the data ingestion feature that fails to validate user-supplied URLs, allowing authenticated attackers to send requests to arbitrary internal endpoints and services. The Axios HTTP client's permissive default configuration processes absolute URLs without restriction, enabling semi-blind SSRF attacks that can compromise internal systems despite limited response visibility. This vulnerability requires authentication but affects all deployments running vulnerable versions.
Server-side request forgery in wvp-GB28181-pro up to version 2.7.4-20260107 allows authenticated attackers to manipulate the MediaServer.streamIp parameter in the IP Address Handler component, enabling arbitrary network requests from the affected server. Public exploit code exists for this vulnerability, and the vendor has not provided a patch or response to the disclosure.
Server-side request forgery in zyddnys manga-image-translator through beta-0.3 allows authenticated remote attackers to forge requests via the to_pil_image function in the Translate Endpoints component. The vulnerability has been publicly disclosed with exploit code available, though the vendor has not yet released a patch or responded to notification.
Woahai321 ListSync versions up to 0.6.6 contain a server-side request forgery vulnerability in the JSON handler component that allows authenticated remote attackers to make arbitrary HTTP requests from the affected server. Public exploit code exists for this vulnerability, and the vendor has not yet responded to the disclosure. An attacker with valid credentials can leverage this to access internal resources or attack systems on the server's network.
Blind SSRF in 2FAuth 2FA manager before 6.1.0.
The ha-mcp OAuth consent form (beta feature) accepts a user-supplied `ha_url` and makes a server-side HTTP request to `{ha_url}/api/config` with no URL validation. An unauthenticated attacker can submit arbitrary URLs to perform internal network reconnaissance via an error oracle. Two additional code paths in OAuth tool calls (REST and WebSocket) are affected by the same primitive. The primary deployment method (private URL with pre-configured `HOMEASSISTANT_TOKEN`) is not affected. **Code path 1 - Consent form validation** (reported) When a user submits the OAuth consent form, `_validate_ha_credentials()` (`provider.py`) makes a server-side GET request to `{ha_url}/api/config` with no scheme, IP, or domain validation. Different exception types produce distinct error messages, creating an error oracle: | Outcome | Message returned | Information leaked | |---------|------------------|--------------------| | `ConnectError` | "Could not connect..." | Host down or port closed | | `TimeoutException` | "Connection timed out..." | Host up, port filtered | | HTTP 401 | "Invalid access token..." | Service alive, requires auth | | HTTP 403 | "Access forbidden..." | Service alive, forbidden | | HTTP ≥ 400 | "Failed to connect: HTTP {N}" | Service alive, exact status | An attacker can drive the flow programmatically: register a client via open DCR (`POST /register`), initiate authorization, extract a `txn_id`, and submit arbitrary `ha_url` values. No user interaction required. **Code path 2 - REST tool calls with forged token** OAuth access tokens are stateless base64-encoded JSON payloads (`{"ha_url": "...", "ha_token": "..."}`). Since tokens are not signed, an attacker can forge a token with an arbitrary `ha_url`. REST tool calls then make HTTP requests to hardcoded HA API paths on that host (`/config`, `/states`, `/services`, etc.). JSON responses are returned to the caller. In practice, path control is limited - most endpoints use absolute paths that ignore the `ha_url` path component. Useful exfiltration requires the target to return JSON at HA API paths, which is unlikely for non-HA services. **Code path 3 - WebSocket tool calls with forged token** The same forged token triggers WebSocket connections to `ws://{ha_url}/api/websocket`. The client follows the HA WebSocket handshake protocol (waits for `auth_required`, sends `auth`, expects `auth_ok`). Non-HA targets fail at the protocol level and return nothing useful. Realistic exploitation is limited to pivoting to another HA instance on the internal network. **Confirmed:** Internal network reconnaissance via error oracle (all 3 code paths). An attacker can map reachable hosts and open ports from the server's network position. OAuth mode is a **beta** feature, documented separately in `docs/OAUTH.md` and not part of the main setup instructions. The standard deployment method (pre-configured `HOMEASSISTANT_URL` and `HOMEASSISTANT_TOKEN`) is not affected. Upgrade to 7.0.0
High severity vulnerability in SiYuan Note. # The `/api/network/forwardProxy` endpoint allows authenticated users to make arbitrary HTTP requests from the server. The endpoint accepts a user-controlled URL and makes HTTP requests to it, returning the full response body and headers. There is no URL validation to prevent requests to internal networks, localhost, or cloud metadata services.
SSRF in Plunk email platform before 0.7.0.
OpenProject is an open-source, web-based project management software. Prior to 17.2.0, OpenProject SMTP test endpoint (POST /admin/settings/mail_notifications) accepts arbitrary host and port values and exhibits measurable differences in response behaviour depending on whether the target IP exists and whether the port is open. An attacker with access can use these timing and error distinctions to map internal hosts and identify which services/ports are reachable. Similarly, you can create web...
Quill before v0.7.1 contains a server-side request forgery vulnerability in its Apple notarization log retrieval functionality that fails to validate URL schemes and destination hosts. Exploitation requires an attacker to intercept or modify API responses, making it primarily a threat in environments with TLS-intercepting proxies, compromised certificate authorities, or other trust boundary violations. An attacker could redirect notarization requests to internal or multicast addresses, potentially exposing sensitive information or accessing restricted resources.
Frappe is a full-stack web application framework. versions up to 14.100.1 is affected by server-side request forgery (ssrf) (CVSS 5.0).
An issue pertaining to CWE-918: Server-Side Request Forgery was discovered in Sunbird-Ed SunbirdEd-portal v1.13.4. This allows attackers to obtain sensitive information [CVSS 7.5 HIGH]
Server-side request forgery in multiple Adobe Commerce versions allows high-privileged attackers to bypass security controls by manipulating internal server requests without user interaction. Affected versions include 2.4.9-alpha3, 2.4.8-p3, 2.4.7-p8, 2.4.6-p13, 2.4.5-p15, and 2.4.4-p16 or earlier. No patch is currently available.
Server-side request forgery in Adobe Commerce 2.4.4 through 2.4.9-alpha3 enables high-privileged attackers to bypass security controls and access unauthorized resources without user interaction. The vulnerability affects multiple versions across the Commerce and Commerce B2B product lines, allowing manipulation of internal server requests from an authenticated administrative context. No patch is currently available.
Flowise versions prior to 3.0.13 allow unauthenticated users to trigger Server-Side Request Forgery (SSRF) attacks through improperly validated URLs in the HTTP Node component, enabling attackers to probe internal networks and cloud metadata endpoints from the Flowise server. Public exploit code exists for this vulnerability, and no patch is currently available for affected deployments. Any organization running a publicly exposed Flowise instance is at immediate risk of internal network reconnaissance and potential credential theft from cloud environments.
Server-side request forgery in LinkAce allows authenticated users to make arbitrary HTTP requests to internal network addresses and cloud metadata endpoints by providing malicious URLs during link creation, bypassing validation controls that exist elsewhere in the application. An attacker with valid credentials can exploit this to access Docker service hostnames, internal services, and sensitive metadata endpoints. No patch is currently available for this vulnerability affecting PHP-based LinkAce deployments.
pdfmake versions 0.3.0-beta.2 through 0.3.5 contain a server-side request forgery vulnerability in the URLResolver component that allows unauthenticated remote attackers to access sensitive information through crafted URL requests. Affected applications using vulnerable versions without proper URL access controls are at risk of information disclosure. No patch is currently available, though version 0.3.6 introduces URL access policy controls to mitigate the risk.
Azure IoT Explorer is vulnerable to server-side request forgery that enables unauthenticated network-based attackers to perform spoofing attacks and access sensitive information. The vulnerability requires no user interaction and can be exploited remotely with low attack complexity, affecting the confidentiality of exposed data. No patch is currently available.
Authenticated users can exploit a server-side request forgery vulnerability in Azure MCP Server to escalate their privileges across the network, potentially gaining unauthorized access to sensitive resources. The vulnerability affects Microsoft Azure environments and requires only low attack complexity with no user interaction, making it a significant risk for organizations using this service. No patch is currently available, leaving affected systems exposed to exploitation.
SAP NetWeaver Application Server for ABAP contains a server-side request forgery vulnerability in a built-in ABAP testing report that allows authenticated attackers to send HTTP requests to arbitrary internal or external endpoints. Successful exploitation could enable reconnaissance of sensitive internal systems and potential data exfiltration, though availability is not impacted. Currently, no patch is available for this vulnerability.
vLLM 0.17.0 contains a Server-Side Request Forgery (SSRF) vulnerability where inconsistent URL parsing between the validation layer (urllib3) and the HTTP client (aiohttp/yarl) allows authenticated attackers to bypass SSRF protections and make requests to internal resources. An attacker with valid credentials can craft malicious URLs to access restricted endpoints or internal services that should be blocked by the SSRF mitigation implemented in version 0.15.1.
IKEA Dirigera v2.866.4 contains a server-side request forgery vulnerability that enables authenticated attackers with high privileges to extract private cryptographic keys through specially crafted requests. The vulnerability impacts the confidentiality of sensitive authentication material while also introducing integrity and availability risks, though no patch is currently available.
SSRF vulnerability in ThermaKube Kubernetes monitoring tool allows server-side requests to internal services.
Server-side request forgery in Bytedesk versions up to 1.3.9 allows authenticated attackers to manipulate the apiUrl parameter in the SpringAIGiteeRestService component, enabling them to make arbitrary network requests from the affected server. Public exploit code exists for this vulnerability, which requires valid user credentials to exploit. Users should upgrade to version 1.4.5.4 or later to remediate the issue.
Server-side request forgery in Bytedesk versions up to 1.3.9 allows authenticated attackers to manipulate the apiUrl parameter in the SpringAIOpenrouterRestController, enabling arbitrary HTTP requests from the affected server. Public exploit code exists for this vulnerability, increasing the risk of active exploitation. Upgrading to version 1.4.5.4 or later resolves this issue.
ContiNew Admin up to version 4.2.0 contains a server-side request forgery vulnerability in its Storage Management Module that allows remote attackers to manipulate URI creation functions with high privileges. Public exploit code exists for this vulnerability, and no patch is currently available from the vendor despite early disclosure notification.
XXL-Job versions up to 3.3.2 contain a server-side request forgery vulnerability in the JobInfoController that allows authenticated attackers to make arbitrary HTTP requests from the server due to insufficient access token validation. An attacker with valid credentials can exploit this remotely to conduct SSRF attacks against internal systems. Public exploit code exists for this vulnerability, and no patch is currently available.
Server-side request forgery in bufanyun HotGo's ImageTransferStorage endpoint allows authenticated attackers to initiate arbitrary outbound requests from the vulnerable server. Public exploit code exists for this vulnerability, and the vendor has not provided patches or updates.
Server-side request forgery in welovemedia FFmate through version 2.0.15 allows authenticated remote attackers to manipulate the fireWebhook function and force the server to make arbitrary HTTP requests. Public exploit code exists for this vulnerability, and the vendor has not provided a patch despite early notification.
PinchTab is a standalone HTTP server that gives AI agents direct control over a Chrome browser. [CVSS 7.5 HIGH]
Server-side request forgery in Wallos versions before 4.6.2 allows authenticated attackers to conduct arbitrary network requests through the notification tester functionality. An attacker with user privileges can exploit this to access internal services, retrieve sensitive data, or interact with backend systems on behalf of the server. Public exploit code exists for this vulnerability, though a patch is available in version 4.6.2.
Wallos versions prior to 4.6.2 contain a server-side request forgery (SSRF) vulnerability in the webhook notification testing function that fails to restrict requests to private IP ranges, allowing authenticated attackers to read internal server responses. Public exploit code exists for this vulnerability. The vulnerability affects Wallos and has been patched in version 4.6.2.
Unauthenticated Server-Side Request Forgery in Homarr versions before 1.54.0 enables remote attackers to initiate arbitrary outbound HTTP requests from the server, potentially accessing internal network resources and private IP ranges. Public exploit code exists for this vulnerability. The issue is resolved in version 1.54.0 and later.
WeKnora's document import feature is vulnerable to Server-Side Request Forgery through HTTP redirects, allowing unauthenticated remote attackers to bypass URL validation controls and access internal services despite backend protections against private IPs and metadata endpoints. The vulnerability affects WeKnora versions prior to 0.2.12 when deployed in Docker environments, where host.docker.internal addresses are not blocked. Public exploit code exists and no patch is currently available.
Plane is an an open-source project management tool. [CVSS 8.5 HIGH]
Server-Side Request Forgery in Wekan 8.32-8.33 allows authenticated users to force the server to make arbitrary HTTP requests by supplying malicious attachment URLs during board imports from JSON data or Trello. An attacker could exploit this to access internal network services, cloud metadata endpoints, or expose sensitive credentials without any URL validation occurring on the server side.
Lemmy, a link aggregator and forum for the fediverse, is vulnerable to server-side request forgery via a dependency on activitypub_federation, a framework for ActivityPub federation in Rust. Prior to version 0.19.16, the GET /api/v4/image/{filename} endpoint is vulnerable to unauthenticated SSRF through parameter injection in the file_type query parameter. An attacker can inject arbitrary query parameters into the internal request to pict-rs, including the proxy parameter which causes pict-rs...
SSRF in Ghostfolio wealth management before 2.245.0. Patch available.
OpenSift versions prior to 1.6.3-alpha are vulnerable to server-side request forgery (SSRF) attacks through the URL ingest pipeline, which fails to properly validate credentialed URLs, non-standard ports, and cross-host redirects in non-localhost deployments. An unauthenticated remote attacker can exploit this to access internal resources and potentially exfiltrate sensitive data from the affected system. No patch is currently available for this vulnerability.
Idno prior to version 1.6.4 contains an authentication bypass in the URL unfurl API endpoint that allows unauthenticated attackers to trigger arbitrary outbound HTTP requests from the server. An attacker can exploit this to access internal network addresses and cloud metadata services, potentially exposing sensitive configuration and credentials. No patch is currently available for affected installations.
OpenClaw versions before 2026.2.14 fail to validate base URLs in the Tlon Urbit extension, allowing attackers to trigger server-side request forgery attacks that direct the gateway to arbitrary hosts, including internal systems. This network-accessible vulnerability requires no authentication and can result in information disclosure and service disruption. No patch is currently available.
OpenClaw prior to version 2026.2.2 is vulnerable to server-side request forgery through its attachment and media URL processing, allowing unauthenticated remote attackers to make arbitrary HTTP requests to internal resources. Attackers can exploit model-controlled message features to trigger the SSRF and exfiltrate response data as outbound attachments. Public exploit code exists for this vulnerability.
OpenClaw versions before 2026.2.14 contain unprotected server-side request forgery flaws in the Feishu extension that enable remote attackers to access internal services and exfiltrate data without authentication. Attackers can exploit the sendMediaFeishu function and markdown image processing through direct manipulation or prompt injection to force the application to fetch attacker-controlled URLs and re-upload responses as Feishu media. A patch is available to remediate this network-accessible vulnerability affecting AI/ML deployments.
Twenty CRM versions prior to 1.18 allow authenticated users to bypass SSRF protections by exploiting unvalidated HTTP redirect targets, enabling access to private IP addresses through attacker-controlled intermediaries. An attacker with control over webhook endpoints or image URLs can leverage this vulnerability to reach restricted internal resources that would normally be blocked.
SkatDesign Ratatouille versions up to 1.2.6 contain a server-side request forgery vulnerability that allows authenticated attackers to make arbitrary HTTP requests from the affected system. An attacker with valid credentials can leverage this flaw to access internal services, retrieve sensitive information, or perform actions on behalf of the server across different security domains. No patch is currently available for this medium-severity vulnerability.
The @opennextjs/cloudflare package is vulnerable to Server-Side Request Forgery (SSRF) through a path normalization bypass in the /cdn-cgi/image/ handler, where attackers can use backslash substitution to evade edge interception and trigger arbitrary remote URL fetches. This affects production deployments that rely on Cloudflare's edge to block such requests, allowing attackers to access internal resources or perform outbound requests to attacker-controlled servers. A patch is available.
Code injection bypass in Craft CMS before 5.9.0-beta.1/4.17.0-beta.1 via blocklist evasion. Patch available.
The PostX WordPress plugin versions up to 5.0.8 contains a server-side request forgery vulnerability in its REST API endpoints that allows authenticated administrators to make arbitrary web requests from the server to internal or external systems. This could enable attackers with admin privileges to query, exfiltrate, or modify data from internal services accessible to the web server. No patch is currently available for this vulnerability.
Homebox prior to 0.24.0-rc.1 allows authenticated users to trigger HTTP POST requests to arbitrary destinations through the notifier feature without host or port validation, enabling attackers to enumerate internal services by observing application behavior differences based on network responses. The vulnerability affects all users with authentication access to the notifier functionality and carries a medium risk due to its reliance on behavioral side-channels rather than direct information disclosure.
Server-Side Request Forgery in the Uncanny Automator WordPress plugin up to version 7.0.0.3 allows authenticated administrators to make arbitrary web requests from the affected server and store remote file contents locally, potentially enabling remote code execution. The vulnerability requires administrator-level privileges and has no available patch. Attackers can exploit this to interact with internal services and upload arbitrary files to the web server.
Chamilo LMS prior to 1.11.30 has a blind SSRF vulnerability enabling internal network reconnaissance from the learning platform.
Chamilo is a learning management system. Prior to version 1.11.28, the OpenId function allows anyone to send requests to any URL on server's behalf, which results in unauthenticated blind SSRF. [CVSS 5.3 MEDIUM]
Featured Image from Content (featured-image-from-content) WordPress plugin versions prior to 1.7 contain an authenticated server-side request forgery vulnerability that allows Author-level users to fetch internal HTTP resources.
Server-Side Request Forgery in Gradio prior to version 6.6.0 allows attackers to execute arbitrary HTTP requests through a victim's infrastructure by crafting a malicious Space with a poisoned proxy_url configuration. Applications that load untrusted Gradio Spaces via gr.load() are vulnerable to attacks targeting internal services, cloud metadata endpoints, and private networks. No patch is currently available for affected Python/ML applications.
Kiteworks versions prior to 9.2.0 contain a DNS rebinding vulnerability that allows authenticated administrators to circumvent SSRF protections and access restricted internal services. An attacker with administrative privileges could exploit this misconfiguration to reach backend systems that should be isolated from external access. No patch is currently available for affected deployments.
Xerox FreeFlow Core versions through 8.0.7 contain an XML External Entity (XXE) vulnerability that allows unauthenticated remote attackers to conduct Server-Side Request Forgery attacks by submitting malicious XML input. This vulnerability could enable attackers to access internal resources or sensitive data on the affected system. A patch is currently unavailable, though Xerox recommends upgrading to version 8.1.0.
Server-side request forgery in Paicoding 1.0.0-1.0.3 allows authenticated attackers to manipulate the image upload parameter and trigger arbitrary outbound requests from the affected server. Public exploit code exists for this vulnerability, and the vendor has not provided a patch despite early notification. The attack requires valid credentials but poses risks to internal network reconnaissance and data exfiltration.
Server-side request forgery in PSI Probe up to version 5.3.0 allows authenticated attackers to conduct arbitrary network requests through the Whois lookup function. Public exploit code exists for this vulnerability, and no patch is currently available from the vendor. The flaw requires valid credentials but can be exploited remotely with minimal complexity.