Skip to main content

SSRF

2862 CVEs technique

Monthly

CVE-2026-41914 npm MEDIUM PATCH This Month

OpenClaw before 2026.4.8 contains a server-side request forgery vulnerability in QQ Bot media download paths that bypass SSRF protection. Attackers can exploit unprotected media fetch endpoints to access internal resources and bypass allowlist policies.

SSRF Openclaw
NVD GitHub VulDB
CVSS 4.0
5.1
EPSS
0.0%
CVE-2026-41912 npm MEDIUM PATCH This Month

OpenClaw before 2026.4.8 contains a server-side request forgery policy bypass vulnerability allowing attackers to trigger navigations bypassing normal SSRF checks. Attackers can exploit browser interactions to bypass SSRF protections and access restricted resources.

SSRF Openclaw
NVD GitHub VulDB
CVSS 4.0
4.8
EPSS
0.0%
CVE-2026-24231 MEDIUM This Month

Server-side request forgery in NVIDIA NemoClaw's validateEndpointUrl() function allows local attackers with user interaction to supply crafted endpoint URLs targeting the 0.0.0.0/8 address range via blueprint configuration files or CLI flags, leading to information disclosure. The vulnerability affects all versions of NemoClaw and requires local access with user interaction to trigger, limiting exposure to systems where untrusted users can modify configuration or invoke CLI commands.

Information Disclosure SSRF Nvidia
NVD
CVSS 3.1
6.3
EPSS
0.0%
CVE-2026-7291 LOW POC Monitor

Server-side request forgery (SSRF) in o2oa up to version 10.0 allows authenticated remote attackers to manipulate the fileUrl parameter in the FileAction component to trigger arbitrary HTTP requests from the server. The vulnerability requires authenticated access (PR:L) but can facilitate attacks against internal services, exfiltrate sensitive data, or pivot to backend systems. Publicly available exploit code exists, and the vendor has not yet responded to early notification.

Java SSRF
NVD VulDB GitHub
CVSS 4.0
2.1
EPSS
0.0%
CVE-2026-7223 npm MEDIUM POC This Month

Server-side request forgery (SSRF) in BigSweetPotatoStudio HyperChat up to version 2.0.0-alpha.63 allows remote unauthenticated attackers to manipulate the baseurl argument in the AI Proxy Middleware component, enabling arbitrary HTTP requests from the affected server. The vulnerability has a publicly available exploit and CVSS 6.9 score reflecting confidentiality, integrity, and availability impact at the network level with low complexity. The vendor has not responded to early disclosure notification through the project's GitHub issue tracker.

SSRF Hyperchat
NVD VulDB GitHub
CVSS 4.0
5.5
EPSS
0.0%
CVE-2026-7221 MEDIUM POC PATCH This Month

Server-side request forgery (SSRF) in TencentCloudBase CloudBase-MCP through version 2.17.0 allows remote unauthenticated attackers to manipulate the open-url API endpoint by injecting arbitrary URLs via the req.body.url parameter, enabling attackers to make unauthorized requests from the server to internal or external resources. The vulnerability has publicly available exploit code and affects the openUrl function in mcp/src/interactive-server.ts. Vendor-released patch version 2.17.1 is available.

SSRF Cloudbase Mcp
NVD VulDB GitHub
CVSS 4.0
5.5
EPSS
0.0%
CVE-2026-7178 MEDIUM This Month

A weakness has been identified in ChatGPTNextWeb NextChat up to 2.16.1. This affects the function storeUrl of the file app/api/artifacts/route.ts of the component Artifacts Endpoint. This manipulation of the argument ID causes server-side request forgery. It is possible to initiate the attack remotely. The exploit has been made available to the public and could be used for attacks. The project was informed of the problem early through an issue report but has not responded yet.

SSRF Nextchat
NVD GitHub VulDB
CVSS 4.0
5.5
EPSS
0.0%
CVE-2026-7177 MEDIUM POC This Month

A security flaw has been discovered in ChatGPTNextWeb NextChat up to 2.16.1. Affected by this issue is the function proxyHandler of the file app/api/[provider]/[...path]/route.ts. The manipulation results in server-side request forgery. The attack may be performed from remote. The exploit has been released to the public and may be used for attacks. The project was informed of the problem early through an issue report but has not responded yet.

SSRF Nextchat
NVD VulDB GitHub
CVSS 4.0
5.5
EPSS
0.0%
CVE-2026-7158 PyPI MEDIUM This Month

A vulnerability has been found in dmitryglhf mcp-url-downloader up to 4b8cf2de55f6e8864a77d108e8a94a5b8e4394c6. Affected by this issue is the function _validate_url_safe of the file src/mcp_url_downloader/server.py. Such manipulation of the argument url leads to server-side request forgery. The attack can be executed remotely. The exploit has been disclosed to the public and may be used. This product implements a rolling release for ongoing delivery, which means version information for affected or updated releases is unavailable. The project was informed of the problem early through an issue report but has not responded yet.

SSRF
NVD GitHub VulDB
CVSS 4.0
5.5
EPSS
0.0%
CVE-2026-7150 PyPI LOW Monitor

A vulnerability was found in dh1011 auto-favicon up to f189116a9259950c2393f114dbcb94dde0ad864b. This issue affects the function generate_favicon_from_url of the file src/auto_favicon/server.py of the component MCP Tool. The manipulation of the argument image_url results in server-side request forgery. The attack may be performed from remote. The exploit has been made public and could be used. This product utilizes a rolling release system for continuous delivery, and as such, version information for affected or updated releases is not disclosed. The project was informed of the problem early through an issue report but has not responded yet.

SSRF
NVD GitHub VulDB
CVSS 4.0
2.1
EPSS
0.0%
CVE-2026-7146 MEDIUM This Month

A security vulnerability has been detected in AlejandroArciniegas mcp-data-vis up to de5a51525a69822290eaee569a1ab447b490746d. Affected by this vulnerability is the function axios of the file src/servers/web-scraper/server.js of the component HTTP Request Handler. Such manipulation leads to server-side request forgery. The attack may be launched remotely. The exploit has been disclosed publicly and may be used. This product operates on a rolling release basis, ensuring continuous delivery. Consequently, there are no version details for either affected or updated releases. The project was informed of the problem early through an issue report but has not responded yet.

SSRF
NVD GitHub VulDB
CVSS 4.0
5.5
EPSS
0.0%
CVE-2026-7147 MEDIUM POC This Month

A vulnerability was detected in JoeCastrom mcp-chat-studio up to 1.5.0. Affected by this issue is some unknown functionality of the file server/routes/llm.js of the component LLM Models API. Performing a manipulation of the argument req.query.base_url results in server-side request forgery. Remote exploitation of the attack is possible. The exploit is now public and may be used. The project was informed of the problem early through an issue report but has not responded yet.

SSRF Mcp Chat Studio
NVD VulDB GitHub
CVSS 4.0
5.5
EPSS
0.0%
CVE-2026-7094 MEDIUM POC This Month

Server-side request forgery in ShadowCloneLabs GlutamateMCPServers allows remote unauthenticated attackers to manipulate the 'url' parameter in the puppeteer_navigate component (src/puppeteer/index.ts), potentially accessing internal resources or conducting network reconnaissance. A publicly available proof-of-concept exploit exists (GitHub). EPSS data not available, but CVSS 7.3 (High) with network vector, low complexity, and no authentication requirements indicates significant accessibility. The vendor has not responded to early disclosure via GitHub issue #8, and no patch timeline exists due to the project's rolling release model.

SSRF Glutamatemcpservers
NVD VulDB GitHub
CVSS 4.0
5.5
EPSS
0.0%
CVE-2026-7084 LOW Monitor

Server-side request forgery in HBAI-Ltd Toonflow-app up to version 1.1.1 allows authenticated remote attackers to manipulate the Link parameter in the getCodeByLink endpoint, enabling arbitrary HTTP requests from the server. The vendor acknowledges the /getCodeByLink interface is inherently high-risk and designed to fetch and execute TypeScript code locally; public exploit code exists but vendor questions the practical exploitability of the reported vulnerability.

SSRF
NVD GitHub VulDB
CVSS 4.0
2.1
EPSS
0.0%
CVE-2026-7065 MEDIUM POC This Month

Server-side request forgery (SSRF) in BuildingAI up to version 26.0.1 allows remote unauthenticated attackers to abuse the Remote Upload API's uploadRemoteFile function by manipulating the url parameter, enabling unauthorized access to internal resources, data exfiltration from cloud metadata services, and potential pivoting to internal network systems. A publicly available exploit exists (GitHub issue #110), but the vendor has not responded to disclosure. CVSS 7.3 with EPSS data unavailable; exploitation requires no authentication and low attack complexity (AV:N/AC:L/PR:N/UI:N), making this a high-priority remediation target despite unknown CISA KEV status.

SSRF Buildingai
NVD VulDB GitHub
CVSS 4.0
5.5
EPSS
0.0%
CVE-2026-7025 MEDIUM POC This Month

Server-side request forgery in Typecho's Pingback Service (versions up to 1.3.0) allows remote unauthenticated attackers to force the server to make arbitrary HTTP requests to internal or external resources. The vulnerability resides in Service::sendPingHandle() function where attacker-controlled X-Pingback and link parameters bypass validation. Public exploit code exists (documented in researcher blog post), enabling immediate weaponization. CVSS 7.3 reflects network-accessible attack with no authentication required. EPSS data not available, but public POC significantly elevates real-world risk. Vendor non-responsive to early disclosure.

PHP SSRF
NVD VulDB
CVSS 4.0
5.5
EPSS
0.0%
CVE-2026-6983 LOW POC Monitor

Server-side request forgery (SSRF) in Pagekit up to version 1.0.18 allows authenticated high-privilege administrators to manipulate the url parameter in the /index.php/admin/system/update/download endpoint, enabling them to force the server to make arbitrary HTTP requests to internal or external systems. Publicly available exploit code exists, and the vendor did not respond to early disclosure efforts.

PHP SSRF
NVD VulDB
CVSS 4.0
2.0
EPSS
0.0%
CVE-2026-6981 LOW POC Monitor

Server-side request forgery (SSRF) in AiraHub2 allows authenticated remote attackers to manipulate the connect_stream_endpoint and sync_agents functions in AiraHub.py, enabling arbitrary HTTP requests to internal or external systems. The vulnerability affects multiple endpoints and has publicly available exploit code; however, the vendor has not responded to disclosure attempts and uses a rolling release model, making patch status unclear.

SSRF Airahub2
NVD VulDB GitHub
CVSS 4.0
2.1
EPSS
0.0%
CVE-2026-6979 LOW POC Monitor

Server-side request forgery (SSRF) in devlikeapro WAHA up to version 2026.3.4 allows authenticated remote attackers to forge requests from the server via the media.controller.ts API endpoint, enabling potential reconnaissance, internal resource access, and lateral movement attacks. Publicly available exploit code exists and the vendor has not responded to disclosure efforts.

SSRF Waha
NVD VulDB GitHub
CVSS 4.0
2.1
EPSS
0.0%
CVE-2026-41488 PyPI LOW PATCH Monitor

LangChain is a framework for building agents and LLM-powered applications. Prior to 1.1.14, langchain-openai's _url_to_size() helper (used by get_num_tokens_from_messages for image token counting) validated URLs for SSRF protection and then fetched them in a separate network operation with independent DNS resolution. This left a TOCTOU / DNS rebinding window: an attacker-controlled hostname could resolve to a public IP during validation and then to a private/localhost IP during the actual fetch.

SSRF Langchain Openai
NVD GitHub VulDB
CVSS 3.1
3.1
EPSS
0.0%
CVE-2026-41481 PyPI MEDIUM PATCH This Month

LangChain is a framework for building agents and LLM-powered applications. Prior to langchain-text-splitters 1.1.2, HTMLHeaderTextSplitter.split_text_from_url() validated the initial URL using validate_safe_url() but then performed the fetch with requests.get() with redirects enabled (the default). Because redirect targets were not revalidated, a URL pointing to an attacker-controlled server could redirect to internal, localhost, or cloud metadata endpoints, bypassing SSRF protections. The response body is parsed and returned as Document objects to the calling application code. Whether this constitutes a data exfiltration path depends on the application: if it exposes Document contents (or derivatives) back to the requester who supplied the URL, sensitive data from internal endpoints could be leaked. Applications that store or process Documents internally without returning raw content to the requester are not directly exposed to data exfiltration through this issue. This vulnerability is fixed in 1.1.2.

Information Disclosure SSRF Langchain Text Splitters
NVD GitHub VulDB
CVSS 3.1
6.5
EPSS
0.0%
CVE-2026-42038 npm MEDIUM POC PATCH GHSA This Month

Axios versions prior to 1.15.1 and 0.31.1 fail to properly bypass proxy configurations when no_proxy=localhost is set, allowing attackers to route requests to loopback addresses (127.0.0.1 and [::1]) through proxy servers instead of bypassing them. This Server-Side Request Forgery (SSRF) vulnerability arises because the shouldBypassProxy() function performs only string matching without resolving IP aliases or loopback equivalents, potentially exposing internal services to proxy interception or manipulation with a CVSS score of 6.8 (high confidentiality impact over changed scope).

Node.js SSRF Red Hat
NVD GitHub VulDB
CVSS 3.1
6.8
EPSS
0.0%
CVE-2026-34884 Awaiting Data

Pre-NVD disclosure via oss-security: oss-security mailing list - 2026/04/13. erates session ids insecurely (Robert Rothenberg <rrwo@...nsec.org>) CVE-2025-54057: Apache SkyWalking: Stored XSS vulnerability (Zhenxu Ke <kezhenxu94@...che.org>) CVE-2026-34476: Apache SkyWalking MCP: Server-Side Request Forgery via SW-URL Header in MCP Server (Qiuxia Fan <qiuxiafan@...che.org>) CVE-2026-34884: Apache SkyWalking MCP: SSRF via set_skywalking_url Tool and GraphQL Expression Injection in MCP Server (Qiuxia Fan <qiuxiafan@...che.org>) CVE-2025-66236: Apache Airflow: Secrets from Airflow config file logged in plain text in DAG run logs UI (Rahul Vats <rahulvats@...che.org>) CVE-2026-33858: Ap

SSRF XSS Apache
NVD
CVE-2026-31955 MEDIUM PATCH This Month

Server-Side Request Forgery in Xibo CMS prior to version 4.4.1 allows high-privilege authenticated users with DataSet permissions to make arbitrary HTTP requests from the CMS server to internal or external resources, enabling infrastructure reconnaissance, cloud metadata access (e.g., AWS IMDS), and potential data exfiltration. Exploitation requires both 'Add DataSet' privilege and DataSet management capabilities, which are not default non-admin permissions, limiting the attack surface to trusted insiders or compromised administrative accounts.

Microsoft SSRF
NVD GitHub VulDB
CVSS 3.1
4.9
EPSS
0.0%
CVE-2026-41361 npm MEDIUM PATCH This Month

OpenClaw before 2026.3.28 contains an SSRF guard bypass vulnerability that fails to block four IPv6 special-use ranges. Attackers can exploit this by crafting URLs targeting internal or non-routable IPv6 addresses to bypass SSRF protections.

SSRF Openclaw
NVD GitHub VulDB
CVSS 4.0
5.1
EPSS
0.0%
CVE-2026-41321 npm LOW PATCH GHSA Monitor

## Summary The `fetch()` call for remote images in `packages/integrations/cloudflare/src/utils/image-binding-transform.ts` (line 28) uses the default `redirect: 'follow'` behavior. This allows the Cloudflare Worker to follow HTTP redirects to arbitrary URLs, bypassing the `isRemoteAllowed()` domain allowlist check which only validates the initial URL. All three other image fetch paths in the codebase correctly use `{ redirect: 'manual' }`. This is an incomplete fix for GHSA-qpr4-c339-7vq8. Confirmed on HEAD. ## Root Cause `image-binding-transform.ts` line 28: const content = await (isRemotePath(href) ? fetch(imageSrc) : assets.fetch(imageSrc)); Missing `{ redirect: 'manual' }`. The three protected paths: // image-passthrough-endpoint.ts:23 response = await fetch(href, { redirect: 'manual' }); // assets/endpoint/shared.ts:11 const res = await fetch(src, { redirect: 'manual' }); // assets/utils/remoteProbe.ts:53 const response = await fetch(url, { redirect: 'manual' }); ## PoC Demonstrated with Node.js that `fetch()` without `redirect: 'manual'` follows 302 redirects to arbitrary destinations: # Server A (allowed domain) returns 302 → Server B (internal) fetch('http://allowed:19741/img.jpg') → follows 302 → hits http://internal:19742/secret fetch('http://allowed:19741/img.jpg', {redirect:'manual'}) → returns 302, internal server NOT hit Attack path: attacker finds an open redirect on an allowed domain, crafts `/_image?href=https://allowed-cdn.com/redirect?url=http://internal-service/`, and the Worker follows the redirect to the unauthorized destination. ## Impact Bypasses the `image.domains` and `image.remotePatterns` allowlist for the default Cloudflare image service (`cloudflare-binding`). Enables blind SSRF to domains not in the allowlist. Same vulnerability class as GHSA-qpr4-c339-7vq8 (HIGH) which fixed the passthrough endpoint but missed this one. ## Suggested Fix const content = await (isRemotePath(href) ? fetch(imageSrc, { redirect: 'manual' }) : assets.fetch(imageSrc));

Node.js SSRF Open Redirect Cloudflare
NVD GitHub
CVSS 3.1
2.2
EPSS
0.0%
CVE-2026-35431 CRITICAL PATCH NEWS NO ACTION HOSTED Monitor

Server-side request forgery (ssrf) in Microsoft Entra ID Entitlement Management allows an unauthorized attacker to perform spoofing over a network.

Microsoft SSRF
NVD
CVSS 3.1
10.0
EPSS
0.1%
CVE-2026-26150 HIGH PATCH NEWS NO ACTION HOSTED Monitor

Server-side request forgery (ssrf) in Microsoft Purview allows an unauthorized attacker to elevate privileges over a network.

Microsoft SSRF
NVD
CVSS 3.1
8.6
EPSS
0.1%
CVE-2026-32210 CRITICAL PATCH NEWS NO ACTION HOSTED Monitor

Server-side request forgery (ssrf) in Microsoft Dynamics 365 (Online) allows an unauthorized attacker to perform spoofing over a network.

Microsoft SSRF
NVD
CVSS 3.1
9.3
EPSS
0.0%
CVE-2026-41271 npm HIGH PATCH GHSA This Week

Flowise is a drag & drop user interface to build a customized large language model flow. Prior to 3.1.0, a Server-Side Request Forgery (SSRF) vulnerability exists in FlowiseAI's POST/GET API Chain components that allows unauthenticated attackers to force the server to make arbitrary HTTP requests to internal and external systems. By injecting malicious prompt templates, attackers can bypass the intended API documentation constraints and redirect requests to sensitive internal services, potentially leading to internal network reconnaissance and data exfiltration. This vulnerability is fixed in 3.1.0.

SSRF Flowise Flowise Components
NVD GitHub VulDB
CVSS 3.1
8.3
EPSS
0.0%
CVE-2026-41272 npm HIGH PATCH GHSA This Week

Flowise is a drag & drop user interface to build a customized large language model flow. Prior to 3.1.0, the core security wrappers (secureAxiosRequest and secureFetch) intended to prevent Server-Side Request Forgery (SSRF) contain multiple logic flaws. These flaws allow attackers to bypass the allow/deny lists via DNS Rebinding (Time-of-Check Time-of-Use) or by exploiting the default configuration which fails to enforce any deny list. This vulnerability is fixed in 3.1.0.

SSRF Flowise Flowise Components
NVD GitHub VulDB
CVSS 3.1
7.1
EPSS
0.0%
CVE-2026-41270 npm HIGH PATCH GHSA This Week

Flowise is a drag & drop user interface to build a customized large language model flow. Prior to 3.1.0, a Server-Side Request Forgery (SSRF) protection bypass vulnerability exists in the Custom Function feature. While the application implements SSRF protection via HTTP_DENY_LIST for axios and node-fetch libraries, the built-in Node.js http, https, and net modules are allowed in the NodeVM sandbox without equivalent protection. This allows authenticated users to bypass SSRF controls and access internal network resources (e.g., cloud provider metadata services) This vulnerability is fixed in 3.1.0.

Node.js Authentication Bypass SSRF
NVD GitHub VulDB
CVSS 3.1
7.1
EPSS
0.0%
CVE-2026-41461 MEDIUM This Month

SocialEngine versions 7.8.0 and prior contain a blind server-side request forgery vulnerability in the /core/link/preview endpoint where user-supplied input passed via the uri request parameter is not sanitized before being used to construct outbound HTTP requests. Authenticated remote attackers can supply arbitrary URLs including internal network addresses and loopback addresses to cause the server to issue HTTP requests to attacker-controlled destinations, enabling internal network enumeration and access to services not intended to be externally reachable.

SSRF Socialengine
NVD VulDB
CVSS 4.0
6.3
EPSS
0.0%
CVE-2026-41177 MEDIUM PATCH This Month

Blind Server-Side Request Forgery (SSRF) in Squidex prior to version 7.23.0 allows authenticated administrators to force the backend server to interact with the local filesystem via the `file://` protocol in the Restore API's `Url` parameter, potentially disclosing sensitive system information through side-channel analysis of internal logs. No public exploit code or active exploitation has been identified at time of analysis.

SSRF Squidex
NVD GitHub
CVSS 3.1
5.5
EPSS
0.0%
CVE-2026-41172 HIGH PATCH This Week

Server-Side Request Forgery in Squidex versions prior to 7.23.0 allows authenticated users with asset upload permissions to force the CMS server to fetch arbitrary URLs, including internal network resources and localhost endpoints, storing the retrieved content as platform assets. This enables reconnaissance of internal infrastructure, exfiltration of cloud metadata endpoints (AWS/Azure credentials), and access to services not exposed to the internet. CVSS 7.3 (High) with CVSS 4.0 E:P (Proof-of-concept exists). Vendor patch available in version 7.23.0 per GitHub security advisory GHSA-x7cq-4f4c-8qcv.

SSRF Squidex
NVD GitHub
CVSS 4.0
7.3
EPSS
0.0%
CVE-2026-41171 HIGH PATCH This Week

Server-Side Request Forgery (SSRF) in Squidex versions before 7.23.0 allows authenticated users with schema editing permissions to force the server to make arbitrary HTTP requests to internal services and cloud metadata endpoints through the Jint scripting engine. The vulnerability can expose cloud provider credentials (e.g., AWS IMDS) and enable lateral movement within internal networks. Exploitation requires only low-privilege authentication (PR:L) and has publicly available exploit code (E:P in CVSS 4.0 vector). Vendor-confirmed patch available in version 7.23.0.

SSRF Squidex
NVD GitHub
CVSS 4.0
7.3
EPSS
0.0%
CVE-2026-41170 HIGH PATCH This Week

Server-Side Request Forgery in Squidex's backup restoration endpoint allows authenticated administrators to probe internal network services and access cloud metadata endpoints. The RestoreController.PostRestoreJob endpoint accepts arbitrary URLs without SSRF protection, enabling internal reconnaissance through the application's HTTP client. Exploitation requires high privileges (admin authentication) but grants access to confidential internal resources and sensitive cloud service metadata. Version 7.23.0 patches this vulnerability. EPSS exploitation probability and active exploitation status are not reported in available intelligence.

SSRF Squidex
NVD GitHub
CVSS 4.0
7.2
EPSS
0.0%
CVE-2026-41455 MEDIUM PATCH This Month

Server-side request forgery in WeKan before 8.35 allows authenticated users to create or modify webhook integrations with arbitrary URLs, enabling the server to issue HTTP POST requests to internal network addresses and attacker-controlled targets. The vulnerability additionally permits unauthorized modification of comment text through response handling, affecting systems where users have integration management privileges. No active exploitation has been confirmed at time of analysis.

SSRF Wekan
NVD GitHub
CVSS 4.0
6.3
EPSS
0.0%
CVE-2026-41644 Go HIGH PATCH GHSA This Week

Server-side request forgery in monetr's Lunch Flow integration allows authenticated users on self-hosted instances to force the server to issue HTTP GET requests to arbitrary URLs, with response bodies from failed requests reflected in API error messages. This enables information disclosure attacks against internal networks, cloud metadata endpoints (AWS EC2 instance metadata without IMDSv2), and RFC1918 private addresses. The vulnerability is compounded by unbounded response buffering that creates a denial-of-service vector via memory exhaustion. Patch available in v1.12.5. The hosted my.monetr.app service is not affected as Lunch Flow is disabled there. Self-hosted instances with default configuration (Lunch Flow enabled, public signup allowed) are at highest risk.

Information Disclosure SSRF
NVD GitHub
CVSS 4.0
8.3
EPSS
0.0%
CVE-2026-40937 Cargo HIGH PATCH GHSA This Week

# Missing Admin Auth on Notification Target Endpoints in RustFS ### Finding Summary All four notification target admin API endpoints in `rustfs/src/admin/handlers/event.rs` use a `check_permissions` helper that validates authentication only (access key + session token), without performing any admin-action authorization via `validate_admin_request`. Every other admin handler in the codebase correctly calls `validate_admin_request` with a specific `AdminAction`. This is the only admin handler file that skips authorization. A non-admin user can overwrite a shared admin-defined notification target by name, causing subsequent bucket events to be delivered to an attacker-controlled endpoint. This enables cross-user event interception and audit evasion. ### What Was Proven Live 1. **Authorization bypass on all four endpoints** (03_readonly_user_bypass.py) - PUT, GET list, GET arns, DELETE all return 200 for readonly-user - Control routes (list-users, kms/status) correctly return 403 - Unauthenticated requests correctly rejected (403 Signature required) 2. **SSRF via health probe** (04_ssrf_listener_landing.py) - HEAD request from rustfs container to attacker-controlled listener - No host validation: only scheme check (http/https) 3. **Target hijacking and event exfiltration** (05_target_hijacking.py, 06_full_event_exfil.py) - Readonly-user overwrites admin-configured target URL by name - Subsequent S3 events delivered to attacker-controlled endpoint - Captured event body includes object keys, bucket names, user identities, and request metadata 4. **Audit evasion** (05_target_hijacking.py) - Readonly-user can delete unbound targets - Readonly-user can overwrite bound targets (silently redirecting events) ### Escalation Vectors Tested But Not Viable 1. **Self-referencing webhook to admin API** (13_self_referencing_test.py) - Webhook sends unsigned POST with event JSON body - Admin endpoints require SigV4 auth -- unsigned request rejected - "Confused deputy" via self-referencing does NOT work 2. **Protocol smuggling via non-HTTP targets** - Only 2 target types implemented: webhook and MQTT (`event.rs:613` enforces this) - No Redis, Kafka, AMQP, or other protocol targets exist - CRLF injection in webhook config fields sanitized by reqwest - MQTT uses rumqttc (pure Rust binary protocol client), no raw TCP injection 3. **MQTT target for RCE** - No unsafe code in MQTT handler - rumqttc 0.29.0 has no known public CVEs - No Command::new, template engines, or deserialization of broker responses 4. **Unauth access** - Endpoints correctly reject unauthenticated requests (403) - Endpoints correctly reject invalid credentials (403) ### Prior Art No existing advisory covers notification target endpoints. 11 published GHSAs on rustfs/rustfs cover different handlers. Closest: - CVE-2026-22042 (ImportIam wrong action constant) -- same bug class, different file - CVE-2026-22043 (deny_only short-circuit) -- different bug class ### Recommendation Submit via GitHub PVR. The finding is well-supported with live PoC, code references, and clear root cause. The fix is straightforward (add `validate_admin_request` calls to event.rs handlers). Core submission should reference 2-3 focused PoC scripts (readonly bypass, target hijack, event exfil), not the full set of 13 exploratory scripts. Koda Reef ### Patch This issue has been patched in version https://github.com/rustfs/rustfs/releases/tag/1.0.0-alpha.94.

SSRF Deserialization Authentication Bypass Redis
NVD GitHub
CVSS 3.1
8.3
EPSS
0.1%
CVE-2026-41130 PHP MEDIUM PATCH This Month

Server-Side Request Forgery (SSRF) in Craft CMS 4.x through 4.17.8 and 5.x through 5.9.14 allows unauthenticated attackers to proxy arbitrary remote HTTP requests via the `resource-js` endpoint when `trustedHosts` is not explicitly configured. By manipulating the Host header, attackers can control the derived `baseUrl` used in validation, bypassing prefix checks and forcing the server to issue requests to arbitrary destinations. Patch versions 4.17.9 and 5.9.15 address the vulnerability.

SSRF
NVD GitHub
CVSS 4.0
5.5
EPSS
0.0%
CVE-2026-41129 PHP MEDIUM PATCH This Month

Server-Side Request Forgery in Craft CMS 4.x through 4.17.8 and 5.x through 5.9.14 allows authenticated users with asset management permissions to request arbitrary URLs via the GraphQL API, potentially exposing internal services or performing actions on behalf of the CMS server. Exploitation requires high-privilege role assignments ('Edit assets' and 'Create assets' in a volume) and is patched in versions 4.17.9 and 5.9.15. EPSS score indicates moderate exploitation probability despite high CVSS, suggesting this is primarily a risk in multi-user CMS deployments where privilege separation is weak.

SSRF
NVD GitHub
CVSS 4.0
5.5
EPSS
0.0%
CVE-2026-35548 HIGH This Week

Server-Side Request Forgery in guardsix (formerly Logpoint) ODBC Enrichment Plugins allows authenticated Operator users to redirect stored database credentials to arbitrary internal systems by modifying connection endpoints without clearing cached credentials. The vulnerability affects versions before 5.2.1 and enables credential misuse against unintended internal databases despite Changed Scope (CVSS S:C) indicating potential cross-boundary impact. EPSS and exploitation data not available; SSVC indicates no known exploitation, non-automatable attack requiring low-privilege authentication, with partial technical impact to confidentiality and integrity.

SSRF
NVD VulDB
CVSS 3.1
8.5
EPSS
0.0%
CVE-2026-5921 HIGH PATCH This Week

A server-side request forgery (SSRF) vulnerability was identified in GitHub Enterprise Server that allowed an attacker to extract sensitive environment variables from the instance through a timing side-channel attack against the notebook rendering service. When private mode was disabled, the notebook viewer followed HTTP redirects without revalidating the destination host, enabling an unauthenticated SSRF to internal services. By chaining this with regex filter queries against an internal API and measuring response time differences, an attacker could infer secret values character by character. Exploitation required that private mode be disabled and that the attacker be able to chain the instance's open redirect endpoint through an external redirect to reach internal services. This vulnerability affected all versions of GitHub Enterprise Server prior to 3.21 and was fixed in versions 3.14.26, 3.15.21, 3.16.17, 3.17.14, 3.18.8, 3.19.5, and 3.20.1. This vulnerability was reported via the GitHub Bug Bounty program.

SSRF Open Redirect
NVD GitHub
CVSS 4.0
8.9
EPSS
0.0%
CVE-2026-41060 PHP HIGH GHSA This Week

WWBN AVideo is an open source video platform. In versions 29.0 and below, the `isSSRFSafeURL()` function in `objects/functions.php` contains a same-domain shortcircuit (lines 4290-4296) that allows any URL whose hostname matches `webSiteRootURL` to bypass all SSRF protections. Because the check compares only the hostname and ignores the port, an attacker can reach arbitrary ports on the AVideo server by using the site's public hostname with a non-standard port. The response body is saved to a web-accessible path, enabling full exfiltration. Commit a0156a6398362086390d949190f9d52a823000ba fixes the issue.

PHP SSRF
NVD GitHub
CVSS 3.1
7.7
EPSS
0.0%
CVE-2026-41055 PHP HIGH This Week

WWBN AVideo is an open source video platform. In versions 29.0 and below, an incomplete SSRF fix in AVideo's LiveLinks proxy adds `isSSRFSafeURL()` validation but leaves DNS TOCTOU vulnerabilities where DNS rebinding between validation and the actual HTTP request redirects traffic to internal endpoints. Commit 8d8fc0cadb425835b4861036d589abcea4d78ee8 contains an updated fix.

SSRF Avideo
NVD GitHub
CVSS 3.1
8.6
EPSS
0.0%
CVE-2026-6744 PHP LOW POC Monitor

Server-side request forgery in Bagisto's Downloadable Link Handler component (versions up to 2.3.15) allows authenticated remote attackers to perform arbitrary HTTP requests on behalf of the server, potentially enabling access to internal resources, metadata services, or information disclosure. The vulnerability has publicly available exploit code and affects the copy function with low-to-moderate CVSS score (5.3) but concrete real-world impact if internal services are exposed. Vendor acknowledges the issue and states fixes are coming in upcoming releases.

SSRF Bagisto
NVD VulDB
CVSS 4.0
2.1
EPSS
0.0%
CVE-2026-40566 MEDIUM PATCH This Month

Server-Side Request Forgery (SSRF) in FreeScout versions before 1.8.213 allows authenticated administrators to probe internal networks and fingerprint services via unvalidated IMAP and SMTP connection test functionality. Three AJAX actions in MailboxesController pass attacker-controlled server hostnames and ports directly to fsockopen() and protocol clients without IP validation, hostname restrictions, or internal-range blocklists, enabling port scanning and service banner disclosure through IMAP debug logs and AJAX responses. The vulnerability requires admin authentication but affects confidentiality of internal infrastructure.

PHP SSRF
NVD GitHub
CVSS 3.1
4.1
EPSS
0.0%
CVE-2026-41302 npm MEDIUM PATCH This Month

OpenClaw before version 2026.3.31 contains a server-side request forgery (SSRF) vulnerability in the marketplace plugin download functionality, where unguarded fetch() calls allow authenticated users with user interaction to make arbitrary network requests on behalf of the affected system. Remote attackers can access internal resources or interact with external services, potentially disclosing sensitive data or compromising internal infrastructure; no public exploit code or active exploitation has been identified at time of analysis.

SSRF Openclaw
NVD GitHub VulDB
CVSS 4.0
4.8
EPSS
0.0%
CVE-2026-41297 npm MEDIUM PATCH This Month

OpenClaw before version 2026.3.31 allows authenticated users to exploit server-side request forgery (SSRF) through unvalidated HTTP redirects in the marketplace plugin download functionality, enabling access to internal resources and potential information disclosure. The marketplace.ts module fails to validate redirect destinations during archive downloads, permitting remote attackers with valid credentials and user interaction to redirect requests to arbitrary internal or external servers. Real-world exploitation is limited by authentication and interaction requirements, keeping the baseline CVSS at 4.8 (medium), though impact depends on network exposure of internal services.

SSRF Openclaw
NVD GitHub VulDB
CVSS 4.0
4.8
EPSS
0.0%
CVE-2026-35587 PyPI HIGH PATCH GHSA This Week

Server-Side Request Forgery in Glances IP plugin allows authenticated attackers to force the monitoring application to send HTTP requests to arbitrary internal or external endpoints, with automatic credential leakage when public_username and public_password are configured. The vulnerability affects all versions prior to 4.5.4 and arises from insufficient validation of the public_api configuration parameter. EPSS exploitation probability is low (0.04%, 12th percentile), but SSVC framework confirms proof-of-concept availability and automatable exploitation with partial technical impact. Vendor patch released in version 4.5.4.

SSRF Information Disclosure Suse
NVD GitHub
CVSS 4.0
7.3
EPSS
0.0%
CVE-2026-33626 PyPI HIGH POC PATCH NEWS GHSA This Week

Server-Side Request Forgery (SSRF) in InternLM LMDeploy's vision-language module allows remote unauthenticated attackers to access cloud metadata services, internal networks, and sensitive resources through unvalidated URL fetching in the load_image() function. Affects all versions prior to 0.12.3. EPSS score not available; no public exploit identified at time of analysis. Patch released in version 0.12.3.

SSRF Lmdeploy
NVD GitHub VulDB
CVSS 3.1
7.5
EPSS
0.0%
CVE-2026-25883 MEDIUM PATCH This Month

Server-Side Request Forgery in Vexa meeting bot allows unauthenticated remote attackers to forge HTTP POST requests to arbitrary internal URLs (Redis, databases, cloud metadata endpoints) via unvalidated webhook configuration, enabling credential theft and lateral movement. CVSS 5.8 with network attack vector and no user interaction required. Fixed in version 0.10.0-260419-1910.

SSRF Redis
NVD GitHub
CVSS 3.1
5.8
EPSS
0.0%
CVE-2026-34428 HIGH PATCH This Week

Server-Side Request Forgery in Vvveb CMS versions prior to 1.0.8.1 allows authenticated backend users to read arbitrary local files via file:// URLs or probe internal network services via http:// URLs through the oEmbedProxy action's unvalidated url parameter. The vulnerability (CWE-918) enables information disclosure from the web server's filesystem and internal network reconnaissance. Patch available in version 1.0.8.1. EPSS data not provided; no CISA KEV listing indicates no confirmed widespread exploitation at time of analysis.

SSRF Vvveb
NVD GitHub
CVSS 4.0
8.3
EPSS
0.0%
CVE-2026-6649 LOW POC Monitor

Server-side request forgery in Qibo CMS 1.0 allows authenticated remote attackers to manipulate the 'starts' parameter in /index/image/headers endpoint, triggering arbitrary internal requests from the server. Publicly available exploit code exists. The vendor did not respond to early disclosure notification, leaving no patched version available.

SSRF Cms
NVD VulDB
CVSS 4.0
2.1
EPSS
0.0%
CVE-2026-6625 MEDIUM POC This Month

Server-side request forgery (SSRF) in Mogu Blog v2 up to version 5.2 allows unauthenticated remote attackers to initiate arbitrary HTTP requests from the affected server through the picture upload functionality. The vulnerability exists in the LocalFileServiceImpl.uploadPictureByUrl method within the Picture Storage Service component, enabling attackers to access internal services, scan internal networks, or exfiltrate sensitive data. Publicly available exploit code exists, and the vendor has not responded to early disclosure notifications.

SSRF Java
NVD VulDB GitHub
CVSS 4.0
5.5
EPSS
0.0%
CVE-2026-6618 LOW POC Monitor

Server-side request forgery in Dify up to version 1.13.3 allows authenticated remote attackers to manipulate the URL argument in the ApiBasedToolSchemaParser component, enabling arbitrary HTTP requests from the server to internal or external systems. The vulnerability affects the parse_openai_plugin_json_to_tool_bundle function in api/core/tools/utils/parser.py. Publicly available exploit code exists, and the vendor has not responded to early disclosure notification.

SSRF Dify
NVD VulDB GitHub
CVSS 4.0
2.1
EPSS
0.0%
CVE-2026-6617 LOW POC Monitor

Server-side request forgery (SSRF) in Dify's ApiToolManageService allows authenticated remote attackers to manipulate the URL argument in the get_api_tool_provider_remote_schema function, enabling them to make arbitrary HTTP requests from the server. Affects Dify versions up to 0.6.9. Publicly available exploit code exists, and the vendor has not responded to early disclosure attempts.

SSRF Dify
NVD VulDB GitHub
CVSS 4.0
2.1
EPSS
0.0%
CVE-2026-6616 LOW POC Monitor

Server-side request forgery (SSRF) in TransformerOptimus SuperAGI up to version 0.0.14 allows authenticated remote attackers to manipulate the WebScraperTool's webpage extraction functions (extract_with_bs4, extract_with_3k, extract_with_lxml) to forge requests to arbitrary servers. The vulnerability has publicly available exploit code and low vendor responsiveness, creating immediate risk for deployments using affected versions.

SSRF Superagi
NVD VulDB GitHub
CVSS 4.0
2.1
EPSS
0.0%
CVE-2026-6606 PyPI MEDIUM POC This Month

Modelscope AgentScope versions up to 1.0.18 contain a server-side request forgery (SSRF) vulnerability in the _process_audio_block function that allows remote unauthenticated attackers to manipulate the 'url' argument and trigger arbitrary HTTP requests from the vulnerable server. Publicly available exploit code exists, and the vendor has not responded to disclosure attempts, leaving affected deployments without an official patch.

SSRF Agentscope
NVD VulDB GitHub
CVSS 4.0
5.5
EPSS
0.0%
CVE-2026-6605 PyPI MEDIUM POC This Month

Server-side request forgery in ModelScope AgentScope up to version 1.0.18 allows remote unauthenticated attackers to manipulate the _get_bytes_from_web_url function in src/agentscope/_utils/_common.py, enabling them to make arbitrary HTTP requests from the affected server. Publicly available exploit code exists, and the vendor has not responded to early disclosure attempts, leaving affected installations vulnerable to attackers probing internal networks and services.

SSRF Agentscope
NVD VulDB GitHub
CVSS 4.0
5.5
EPSS
0.0%
CVE-2026-6604 PyPI MEDIUM POC This Month

Server-side request forgery (SSRF) in ModelScope AgentScope up to version 1.0.18 allows remote unauthenticated attackers to manipulate image_url and audio_file_url parameters in the _parse_url, prepare_image, and openai_audio_to_text functions, enabling arbitrary HTTP requests from the affected server. The vulnerability has publicly available exploit code and affects the Cloud Metadata Endpoint component. The vendor has not responded to early disclosure attempts, and exploitation is confirmed to be possible with low attack complexity.

SSRF Agentscope
NVD VulDB GitHub
CVSS 4.0
5.5
EPSS
0.0%
CVE-2026-6587 PyPI LOW POC Monitor

Server-side request forgery in vibrantlabsai RAGAS up to version 0.4.3 allows authenticated remote attackers to manipulate the retrieved_contexts argument in the Collections Module's _try_process_local_file and _try_process_url functions, enabling arbitrary file reads and network requests with the application's privileges. Publicly available exploit code exists; the vendor has not responded to early disclosure attempts despite the security patch for related CVE-2025-45691 being applied to a different module only.

SSRF Ragas
NVD VulDB
CVSS 4.0
2.1
EPSS
0.0%
CVE-2026-6573 LOW POC Monitor

Server-side request forgery in PHPEMS 11.0 allows authenticated remote attackers to manipulate the uploadfile parameter in the Instant Exam Creation Handler component, enabling SSRF attacks that can access internal resources or perform unauthorized requests from the server. The vulnerability affects the temppage function in /app/exam/controller/exams.master.php and has public exploit code available, though exploitation requires valid user credentials (PR:L).

PHP SSRF
NVD VulDB
CVSS 4.0
2.1
EPSS
0.0%
CVE-2026-40348 HIGH PATCH This Week

Server-Side Request Forgery in Movary movie tracking application allows authenticated users to probe internal networks and metadata endpoints. The /settings/jellyfin/server-url-verify endpoint accepts user-controlled URLs without validating against private IP ranges, enabling internal reconnaissance through the server's context. Affects all versions prior to 0.71.1. EPSS data not available, but exploitation requires only low-privilege authentication (CVSS PR:L) with no attack complexity, making this readily exploitable by any registered user. Upstream fix confirmed in version 0.71.1 via GitHub commit d459b35.

SSRF Movary
NVD GitHub VulDB
CVSS 3.1
7.7
EPSS
0.0%
CVE-2026-35402 PyPI LOW PATCH GHSA Monitor

mcp-neo4j-cypher before version 0.6.0 allows authenticated users to bypass read-only mode enforcement via APOC CALL procedures, enabling unauthorized write operations and server-side request forgery against Neo4j databases. The vulnerability requires login credentials and attacker preparation (CVSS AT:P), limiting real-world risk to insider threats or compromised accounts with legitimate access to the MCP server.

Authentication Bypass SSRF Mcp Neo4J
NVD GitHub VulDB
CVSS 4.0
2.3
EPSS
0.0%
CVE-2026-40516 HIGH PATCH This Week

Server-Side Request Forgery in OpenHarness AI agent framework (pre-commit bd4df81) permits remote unauthenticated attackers to manipulate web_fetch and web_search tool parameters, forcing the agent to make HTTP requests to internal infrastructure including RFC1918 private networks, localhost services, and cloud metadata endpoints (e.g., AWS EC2 169.254.169.254). Changed scope (S:C) in CVSS vector indicates potential for pivoting beyond the vulnerable application's trust boundary. EPSS data unavailable; no public exploit identified at time of analysis, though exploitation technique is well-understood for SSRF class vulnerabilities. Patch available via GitHub commit bd4df81.

SSRF Openharness
NVD GitHub VulDB
CVSS 4.0
7.8
EPSS
0.0%
CVE-2026-6497 LOW POC Monitor

Server-side request forgery (SSRF) in TinyFileManager file upload handler (versions up to 2.6) allows authenticated remote attackers to manipulate the uploadurl parameter and forge requests to arbitrary servers. The vulnerability affects the /filemanager.php?p=&ajax=true&type=upload endpoint and has publicly available exploit code; the vendor has not responded to disclosure attempts.

PHP SSRF File Upload
NVD VulDB
CVSS 4.0
2.1
EPSS
0.0%
CVE-2026-5131 MEDIUM PATCH This Month

GREENmod before 2.8.33 allows remote code execution and server-side request forgery via incorrectly configured named pipes that accept unauthenticated XML or JSON file uploads, processing them with service-level privileges on Windows systems. An attacker on the network can abuse this to trigger SSRF attacks against SMB or WebDAV targets accessible to the service account, potentially compromising internal Windows infrastructure without authentication.

SSRF Microsoft
NVD
CVSS 4.0
6.9
EPSS
0.0%
CVE-2026-5052 Go MEDIUM PATCH GHSA This Month

Server-side request forgery (SSRF) in HashiCorp Vault's PKI engine ACME validation allows unauthenticated remote attackers to send http-01 and tls-alpn-01 challenge requests to local network targets by controlling DNS responses, potentially disclosing sensitive information from internal services. The vulnerability affects Vault Community Edition before 2.0.0 and Vault Enterprise before 1.19.16, 1.20.10, or 1.21.5. HashiCorp has released patched versions; no public exploit code has been identified at the time of analysis.

SSRF Hashicorp Information Disclosure
NVD
CVSS 3.1
5.3
EPSS
0.0%
CVE-2026-31317 PHP HIGH GHSA This Week

Server-Side Request Forgery (SSRF) in Craftql PHP library versions 1.3.7 and earlier enables remote attackers to force the server to make unintended requests, potentially leading to arbitrary code execution. The vulnerability resides in the GetAssetsFieldSchema.php listener component. No active exploitation is confirmed (not in CISA KEV), but a proof-of-concept repository with detailed exploitation documentation exists on GitHub. Despite the CVSS 7.5 rating, the extremely low EPSS score (0.01%, 0th percentile) indicates minimal real-world exploitation activity observed to date. The description claims RCE capability, but the CVSS vector shows only confidentiality impact (C:H/I:N/A:N), suggesting the SSRF may enable information disclosure that could chain into RCE rather than direct code execution - verification with vendor advisories needed.

PHP SSRF RCE N A
NVD GitHub VulDB
CVSS 3.1
7.5
EPSS
0.0%
CVE-2026-40500 PHP MEDIUM POC This Month

ProcessWire CMS version 3.0.255 and prior contain a server-side request forgery vulnerability in the admin panel's 'Add Module From URL' feature that allows authenticated administrators to supply arbitrary URLs to the module download parameter, causing the server to issue outbound HTTP requests to attacker-controlled internal or external hosts. Attackers can exploit differentiable error messages returned by the server to perform reliable internal network port scanning, host enumeration across RFC-1918 ranges, and potential access to cloud instance metadata endpoints.

SSRF Processwire
NVD GitHub VulDB
CVSS 4.0
6.1
EPSS
0.0%
CVE-2026-40346 npm MEDIUM PATCH GHSA This Month

## Summary NocoBase's workflow HTTP request plugin and custom request action plugin make server-side HTTP requests to user-provided URLs without any SSRF protection. An authenticated user can access internal network services, cloud metadata endpoints, and localhost. ## Vulnerable Code ### 1. Workflow HTTP Request Plugin **`packages/plugins/@nocobase/plugin-workflow-request/src/server/RequestInstruction.ts` lines 117-128:** ```typescript return axios.request({ url: trim(url), // User-controlled, no validation method, headers, params, timeout, ...(method.toLowerCase() !== 'get' && data != null ? { data: transformer ? await transformer(data) : data } : {}), }); ``` The `url` at line 98 comes directly from user workflow configuration with only whitespace trimming. ### 2. Custom Request Action Plugin **`packages/plugins/@nocobase/plugin-action-custom-request/src/server/actions/send.ts` lines 172-198:** ```typescript const axiosRequestConfig = { baseURL: ctx.origin, ...options, url: getParsedValue(url, variables), // User-controlled via template headers: { ... }, params: getParsedValue(arrayToObject(params), variables), data: getParsedValue(toJSON(data), variables), }; const res = await axios(axiosRequestConfig); // No IP validation ``` ## Missing Protections - No `request-filtering-agent` or SSRF library (confirmed via grep across entire codebase) - No private IP range filtering - No cloud metadata endpoint blocking - No URL scheme validation - No DNS rebinding protection ## Attack Scenario 1. Authenticated user creates a workflow with HTTP Request node 2. Sets URL to `http://169.254.169.254/latest/meta-data/iam/security-credentials/` 3. Triggers the workflow 4. Server fetches AWS metadata and returns IAM credentials in workflow execution logs Alternatively via Custom Request action: 1. Create custom request with URL `http://127.0.0.1:5432` or `http://10.0.0.1:8080/admin` 2. Execute the action 3. Server makes request to internal service ## Impact - **Cloud metadata theft**: AWS/GCP/Azure credentials via metadata endpoints - **Internal network access**: Scan and interact with services on private IP ranges - **Database access**: Connect to localhost databases (PostgreSQL, Redis, etc.) - **Authentication required**: Yes (authenticated user), but any workspace member can create workflows

PostgreSQL SSRF Microsoft Redis
NVD GitHub VulDB
CVSS 4.0
6.4
EPSS
0.0%
CVE-2026-40882 Maven HIGH PATCH GHSA This Week

### Summary The Velbus asset import path parses attacker-controlled XML without explicit XXE hardening. An authenticated user who can call the import endpoint may trigger XML external entity processing, which can lead to server-side file disclosure and SSRF. The target file must be less than 1023 characters. ### Details Velbus import uses `DocumentBuilderFactory.newInstance().newDocumentBuilder().parse(...)` on untrusted XML input, without explicit safeguards to disable DTD/external entities. ```154:165:agent/src/main/java/org/openremote/agent/protocol/velbus/AbstractVelbusProtocol.java @Override public Future<Void> startAssetImport(byte[] fileData, Consumer<AssetTreeNode[]> assetConsumer) { return executorService.submit(() -> { Document xmlDoc; try { String xmlStr = new String(fileData, StandardCharsets.UTF_8); LOG.info("Parsing VELBUS project file"); xmlDoc = DocumentBuilderFactory .newInstance() .newDocumentBuilder() .parse(new InputSource(new StringReader(xmlStr))); ``` Expanded `Caption` content is propagated into created asset names: ```193:198:agent/src/main/java/org/openremote/agent/protocol/velbus/AbstractVelbusProtocol.java String name = module.getElementsByTagName("Caption").item(0).getTextContent(); name = isNullOrEmpty(name) ? deviceType.toString() : name; // TODO: Use device specific asset types Asset<?> device = new ThingAsset(name); ``` ### PoC 1. Log in to a realm with a user that can call Velbus asset import. 2. Create/select a Velbus TCP Agent in that same realm. 3. Send `POST /api/{realm}/agent/assetImport/{agentId}` with a Velbus project XML payload and compare behavior against a baseline import file. 3. Save the below code as a `xxe.xml` and upload to `Setup` under `https://localhost/manager/?realm=<YOUR_REALM>#/assets/false/<ASSET_ID>`. Chnage the `file:///etc/passwd` to another file if your `passwd` is longer than 1023 characters. ```xml <?xml version="1.0" encoding="UTF-8"?> <!DOCTYPE velbus [ <!ENTITY xxe SYSTEM "file:///etc/passwd"> ]> <Project> <Module type="VMB1RY" address="01" build="00" serial="LAB"> <Caption>&xxe;</Caption> </Module> </Project> ``` As long as the file content is under 1023 characters, the exploit will succeed. <img width="1200" height="662" alt="image" src="https://github.com/user-attachments/assets/213f063d-98b6-4717-b98c-f4255952026b" /> If the file content reaches the limit, an error is thrown. <img width="1200" height="630" alt="image" src="https://github.com/user-attachments/assets/ee177a6b-2cb2-48ae-94df-c994ecb41429" /> ### Impact - **Type:** XML External Entity (XXE) - **Affected:** Deployments exposing Velbus import to authenticated users with import access - **Risk:** limited local file disclosure (as long as the file is under 1023 characters) from the Manager runtime, and SSRF.

XXE SSRF Java
NVD GitHub
CVSS 3.1
7.6
EPSS
0.1%
CVE-2026-39845 PyPI MEDIUM PATCH GHSA This Month

Weblate is a web based localization tool. In versions prior to 5.17, the webhook add-on did not utilize existing SSRF protections. This issue has been fixed in version 5.17. If developers are unable to update immediately, they can disable the webhook add-on as a workaround.

SSRF Weblate
NVD GitHub
CVSS 3.1
4.1
EPSS
0.0%
CVE-2026-34244 PyPI MEDIUM PATCH GHSA This Month

Weblate is a web based localization tool. In versions prior to 5.17, a user with the project.edit permission (granted by the per-project "Administration" role) can configure machine translation service URLs pointing to arbitrary internal network addresses. During configuration validation, Weblate makes an HTTP request to the attacker-controlled URL and reflects up to 200 characters of the response body back to the user in an error message. This constitutes a Server-Side Request Forgery (SSRF) with partial response read. This issue has been fixed in version 5.17. If developers are unable to immediately upgrade, they can limit available machinery services via WEBLATE_MACHINERY setting.

Information Disclosure SSRF Weblate
NVD GitHub
CVSS 3.1
5.0
EPSS
0.0%
CVE-2026-33440 PyPI MEDIUM PATCH GHSA This Month

Weblate is a web based localization tool. In versions prior to 5.17, the ALLOWED_ASSET_DOMAINS setting applied only to the first issued requests and didn't restrict possible redirects. This issue has been fixed in version 5.17.

SSRF Weblate
NVD GitHub
CVSS 3.1
5.0
EPSS
0.0%
CVE-2026-35032 HIGH PATCH This Week

Jellyfin media server versions before 10.11.7 allow authenticated users to escalate privileges to administrator through a chained exploit involving M3U tuner SSRF, local file read, and database exfiltration. Any authenticated user can exploit this because the EnableLiveTvManagement permission defaults to enabled. The attack chain enables reading the Jellyfin database to extract admin session tokens, achieving full administrative control. CVSS 8.6 (High) reflects network-accessible attack requiring only low-privilege authentication. No active exploitation (CISA KEV) confirmed, but public disclosure via GitHub Security Advisory indicates exploit details are known.

SSRF Jellyfin
NVD GitHub
CVSS 4.0
8.6
EPSS
0.0%
CVE-2026-34160 HIGH PATCH This Week

Unauthenticated Server-Side Request Forgery (SSRF) in Chamilo LMS versions prior to 2.0.0-RC.3 allows remote attackers to access internal network services and cloud metadata endpoints via unfiltered package-url parameter in the PENS plugin. Attackers can steal AWS IAM credentials from 169.254.169.254, probe internal infrastructure, and trigger state-changing operations on internal services without requiring authentication. CVSS 8.6 (High) with Changed Scope reflects the ability to pivot from the LMS to other internal systems. No public exploit identified at time of analysis, though the attack vector is straightforward requiring only HTTP requests to the exposed endpoint.

Authentication Bypass PHP SSRF Microsoft
NVD GitHub
CVSS 3.1
8.6
EPSS
0.1%
CVE-2026-33715 HIGH PATCH This Week

Server-Side Request Forgery (SSRF) in Chamilo LMS 2.0-RC.2 allows unauthenticated remote attackers to weaponize the learning management system as an open email relay and probe internal networks. The vulnerability stems from an authentication bypass in install.ajax.php, which accepts arbitrary SMTP server connections via Symfony Mailer DSN strings. No public exploit identified at time of analysis, though exploitation complexity is low (CVSS AC:L). EPSS data not provided. Vendor-released patch: version 2.0.0-RC.3.

Authentication Bypass PHP SSRF
NVD GitHub
CVSS 3.1
7.2
EPSS
0.1%
CVE-2025-59809 MEDIUM This Month

Server-side request forgery in Fortinet FortiSOAR (both PaaS and on-premise versions 7.3 through 7.6.4) allows authenticated attackers to discover services running on local ports by crafting malicious requests. The vulnerability requires valid user credentials and carries a CVSS score of 4.3 with low confidentiality impact; no public exploit code or active exploitation has been confirmed at this time.

Fortinet SSRF
NVD
CVSS 3.1
4.3
EPSS
0.0%
CVE-2026-34225 PyPI MEDIUM POC GHSA This Month

Blind Server-Side Request Forgery in Open WebUI 0.7.2 and below allows authenticated remote attackers to scan the local network and infer open ports via the image editing prompt functionality, which performs unrestricted GET requests to user-supplied URLs. The vulnerability enables port enumeration of internal network services without exposing response content, potentially leading to reconnaissance of locally accessible services. No public exploit code or active exploitation has been confirmed; patch status remains unresolved at time of publication.

SSRF Open Webui
NVD GitHub
CVSS 3.1
4.3
EPSS
0.0%
CVE-2026-39418 MEDIUM PATCH This Month

MaxKB versions 2.7.1 and below allow authenticated users with tool-editing permissions to bypass sandbox network protection via socket.sendto() with the MSG_FASTOPEN flag, enabling connections to internal services explicitly blocked by the sandbox's banned hosts configuration. The vulnerability exploits a gap in LD_PRELOAD hooking-sendto() with MSG_FASTOPEN establishes TCP connections directly through the kernel without invoking the hooked connect() function, completely circumventing IP validation. This is a server-side request forgery (SSRF) vector that requires prior authentication and tool-editing privileges. Vendor-released patch: version 2.8.0.

Linux SSRF
NVD GitHub
CVSS 3.1
5.0
EPSS
0.0%
CVE-2026-38527 PHP HIGH GHSA This Week

Server-Side Request Forgery in Webkul Krayin CRM 2.2.x enables authenticated users to scan internal network resources and access sensitive information through the webhook creation endpoint. Attackers with low-privilege accounts can send crafted POST requests to /settings/webhooks/create, forcing the server to make requests to arbitrary internal URLs. With CVSS 8.5 (High) and scope change to other components, this allows reconnaissance of internal infrastructure, access to cloud metadata endpoints, and potential lateral movement. EPSS data not available; no public exploit identified at time of analysis, though technical details are published in security advisory.

SSRF
NVD GitHub
CVSS 3.1
8.5
EPSS
0.0%
CVE-2026-6220 LOW POC Monitor

A vulnerability was identified in HummerRisk up to 1.5.0. This vulnerability affects the function ServerService.addServer of the file ServerService.java of the component Video File Download URL Handler. Such manipulation of the argument streamIp leads to server-side request forgery. It is possible to launch the attack remotely. The exploit is publicly available and might be used. The vendor was contacted early about this disclosure but did not respond in any way.

Java SSRF
NVD VulDB GitHub
CVSS 4.0
2.0
EPSS
0.0%
CVE-2026-33659 LOW POC PATCH Monitor

EspoCRM is an open source customer relationship management application. In versions 9.3.3 and below, the POST /api/v1/Attachment/fromImageUrl endpoint is vulnerable to Server-Side Request Forgery (SSRF) via a DNS rebinding (TOCTOU) condition. Host validation uses dns_get_record() but the actual HTTP request resolves hostnames through curl's internal resolver (gethostbyname()), allowing the two lookups to return different IP addresses for the same hostname. A secondary issue exists where an empty DNS result (due to DNS failure, IPv6-only domains, or non-existent hostnames) causes the validation to implicitly allow the host without further checks. An authenticated attacker with default attachment creation access can exploit this gap to bypass internal IP restrictions and scan internal network ports, confirm the existence of internal hosts, and interact with internal HTTP-based services, though data extraction from binary protocol services and remote code execution are not possible through this endpoint. This issue has been fixed in version 9.3.4.

RCE SSRF Espocrm
NVD GitHub
CVSS 3.1
3.5
EPSS
0.0%
CVE-2026-6215 LOW Monitor

A weakness has been identified in DbGate up to 7.1.4. The impacted element is the function apiServerUrl1 of the file packages/rest/src/openApiDriver.ts of the component REST/GraphQL. This manipulation causes server-side request forgery. The attack may be initiated remotely. The exploit has been made available to the public and could be used for attacks. The vendor was contacted early about this disclosure but did not respond in any way.

SSRF Dbgate
NVD VulDB
CVSS 4.0
2.1
EPSS
0.0%
CVE-2026-33534 MEDIUM POC PATCH This Month

EspoCRM is an open source customer relationship management application. Versions 9.3.3 and below have an authenticated Server-Side Request Forgery (SSRF) vulnerability that allows bypassing the internal-host validation logic by using alternative IPv4 representations such as octal notation (e.g., 0177.0.0.1 instead of 127.0.0.1). This is caused by HostCheck::isNotInternalHost() function relying on PHP's filter_var(..., FILTER_VALIDATE_IP), which does not recognize alternative IP formats, causing the validation to fall through to a DNS lookup that returns no records and incorrectly treats the host as safe, however the cURL subsequently normalizes the address and connects to the loopback destination. Through the confirmed /api/v1/Attachment/fromImageUrl endpoint, an authenticated user can force the server to make requests to loopback-only services and store the fetched response as an attachment. This vulnerability is distinct from CVE-2023-46736 (which involved redirect-based SSRF) and may allow access to internal resources reachable from the application runtime. This issue has been fixed in version 9.3.4.

SSRF Espocrm
NVD GitHub Exploit-DB VulDB
CVSS 3.1
4.3
EPSS
0.0%
CVE-2026-34476 Go HIGH PATCH GHSA This Week

Server-Side Request Forgery in Apache SkyWalking MCP 0.1.0 allows authenticated remote attackers to access internal network resources and exfiltrate sensitive data via a malicious SW-URL header. CVSS 7.1 (High severity) with network attack vector and low complexity. No public exploit identified at time of analysis, SSVC framework indicates no active exploitation and non-automatable attack requiring manual interaction with internal architecture knowledge.

Apache SSRF
NVD VulDB
CVSS 3.1
7.1
EPSS
0.0%
CVE-2026-5936 CRITICAL Act Now

Server-side request forgery in the Foxit PDF Services API (cloud offering) lets a remote attacker supply a crafted URL that the backend fetches, coercing the server into making requests to attacker-chosen internal or external destinations. Because the service processes documents and URLs on behalf of clients, this can be abused to reach cloud metadata endpoints, internal-only services, and network zones normally shielded from the public internet, potentially disclosing credentials or sensitive data. No public exploit identified at time of analysis, and EPSS is very low (0.03%, 8th percentile), consistent with CISA SSVC scoring exploitation as 'none'.

SSRF Information Disclosure Foxit Pdf Services Api
NVD VulDB
CVSS 3.1
9.8
EPSS
0.0%
EPSS 0% CVSS 5.1
MEDIUM PATCH This Month

OpenClaw before 2026.4.8 contains a server-side request forgery vulnerability in QQ Bot media download paths that bypass SSRF protection. Attackers can exploit unprotected media fetch endpoints to access internal resources and bypass allowlist policies.

SSRF Openclaw
NVD GitHub VulDB
EPSS 0% CVSS 4.8
MEDIUM PATCH This Month

OpenClaw before 2026.4.8 contains a server-side request forgery policy bypass vulnerability allowing attackers to trigger navigations bypassing normal SSRF checks. Attackers can exploit browser interactions to bypass SSRF protections and access restricted resources.

SSRF Openclaw
NVD GitHub VulDB
EPSS 0% CVSS 6.3
MEDIUM This Month

Server-side request forgery in NVIDIA NemoClaw's validateEndpointUrl() function allows local attackers with user interaction to supply crafted endpoint URLs targeting the 0.0.0.0/8 address range via blueprint configuration files or CLI flags, leading to information disclosure. The vulnerability affects all versions of NemoClaw and requires local access with user interaction to trigger, limiting exposure to systems where untrusted users can modify configuration or invoke CLI commands.

Information Disclosure SSRF Nvidia
NVD
EPSS 0% CVSS 2.1
LOW POC Monitor

Server-side request forgery (SSRF) in o2oa up to version 10.0 allows authenticated remote attackers to manipulate the fileUrl parameter in the FileAction component to trigger arbitrary HTTP requests from the server. The vulnerability requires authenticated access (PR:L) but can facilitate attacks against internal services, exfiltrate sensitive data, or pivot to backend systems. Publicly available exploit code exists, and the vendor has not yet responded to early notification.

Java SSRF
NVD VulDB GitHub
EPSS 0% CVSS 5.5
MEDIUM POC This Month

Server-side request forgery (SSRF) in BigSweetPotatoStudio HyperChat up to version 2.0.0-alpha.63 allows remote unauthenticated attackers to manipulate the baseurl argument in the AI Proxy Middleware component, enabling arbitrary HTTP requests from the affected server. The vulnerability has a publicly available exploit and CVSS 6.9 score reflecting confidentiality, integrity, and availability impact at the network level with low complexity. The vendor has not responded to early disclosure notification through the project's GitHub issue tracker.

SSRF Hyperchat
NVD VulDB GitHub
EPSS 0% CVSS 5.5
MEDIUM POC PATCH This Month

Server-side request forgery (SSRF) in TencentCloudBase CloudBase-MCP through version 2.17.0 allows remote unauthenticated attackers to manipulate the open-url API endpoint by injecting arbitrary URLs via the req.body.url parameter, enabling attackers to make unauthorized requests from the server to internal or external resources. The vulnerability has publicly available exploit code and affects the openUrl function in mcp/src/interactive-server.ts. Vendor-released patch version 2.17.1 is available.

SSRF Cloudbase Mcp
NVD VulDB GitHub
EPSS 0% CVSS 5.5
MEDIUM This Month

A weakness has been identified in ChatGPTNextWeb NextChat up to 2.16.1. This affects the function storeUrl of the file app/api/artifacts/route.ts of the component Artifacts Endpoint. This manipulation of the argument ID causes server-side request forgery. It is possible to initiate the attack remotely. The exploit has been made available to the public and could be used for attacks. The project was informed of the problem early through an issue report but has not responded yet.

SSRF Nextchat
NVD GitHub VulDB
EPSS 0% CVSS 5.5
MEDIUM POC This Month

A security flaw has been discovered in ChatGPTNextWeb NextChat up to 2.16.1. Affected by this issue is the function proxyHandler of the file app/api/[provider]/[...path]/route.ts. The manipulation results in server-side request forgery. The attack may be performed from remote. The exploit has been released to the public and may be used for attacks. The project was informed of the problem early through an issue report but has not responded yet.

SSRF Nextchat
NVD VulDB GitHub
EPSS 0% CVSS 5.5
MEDIUM This Month

A vulnerability has been found in dmitryglhf mcp-url-downloader up to 4b8cf2de55f6e8864a77d108e8a94a5b8e4394c6. Affected by this issue is the function _validate_url_safe of the file src/mcp_url_downloader/server.py. Such manipulation of the argument url leads to server-side request forgery. The attack can be executed remotely. The exploit has been disclosed to the public and may be used. This product implements a rolling release for ongoing delivery, which means version information for affected or updated releases is unavailable. The project was informed of the problem early through an issue report but has not responded yet.

SSRF
NVD GitHub VulDB
EPSS 0% CVSS 2.1
LOW Monitor

A vulnerability was found in dh1011 auto-favicon up to f189116a9259950c2393f114dbcb94dde0ad864b. This issue affects the function generate_favicon_from_url of the file src/auto_favicon/server.py of the component MCP Tool. The manipulation of the argument image_url results in server-side request forgery. The attack may be performed from remote. The exploit has been made public and could be used. This product utilizes a rolling release system for continuous delivery, and as such, version information for affected or updated releases is not disclosed. The project was informed of the problem early through an issue report but has not responded yet.

SSRF
NVD GitHub VulDB
EPSS 0% CVSS 5.5
MEDIUM This Month

A security vulnerability has been detected in AlejandroArciniegas mcp-data-vis up to de5a51525a69822290eaee569a1ab447b490746d. Affected by this vulnerability is the function axios of the file src/servers/web-scraper/server.js of the component HTTP Request Handler. Such manipulation leads to server-side request forgery. The attack may be launched remotely. The exploit has been disclosed publicly and may be used. This product operates on a rolling release basis, ensuring continuous delivery. Consequently, there are no version details for either affected or updated releases. The project was informed of the problem early through an issue report but has not responded yet.

SSRF
NVD GitHub VulDB
EPSS 0% CVSS 5.5
MEDIUM POC This Month

A vulnerability was detected in JoeCastrom mcp-chat-studio up to 1.5.0. Affected by this issue is some unknown functionality of the file server/routes/llm.js of the component LLM Models API. Performing a manipulation of the argument req.query.base_url results in server-side request forgery. Remote exploitation of the attack is possible. The exploit is now public and may be used. The project was informed of the problem early through an issue report but has not responded yet.

SSRF Mcp Chat Studio
NVD VulDB GitHub
EPSS 0% CVSS 5.5
MEDIUM POC This Month

Server-side request forgery in ShadowCloneLabs GlutamateMCPServers allows remote unauthenticated attackers to manipulate the 'url' parameter in the puppeteer_navigate component (src/puppeteer/index.ts), potentially accessing internal resources or conducting network reconnaissance. A publicly available proof-of-concept exploit exists (GitHub). EPSS data not available, but CVSS 7.3 (High) with network vector, low complexity, and no authentication requirements indicates significant accessibility. The vendor has not responded to early disclosure via GitHub issue #8, and no patch timeline exists due to the project's rolling release model.

SSRF Glutamatemcpservers
NVD VulDB GitHub
EPSS 0% CVSS 2.1
LOW Monitor

Server-side request forgery in HBAI-Ltd Toonflow-app up to version 1.1.1 allows authenticated remote attackers to manipulate the Link parameter in the getCodeByLink endpoint, enabling arbitrary HTTP requests from the server. The vendor acknowledges the /getCodeByLink interface is inherently high-risk and designed to fetch and execute TypeScript code locally; public exploit code exists but vendor questions the practical exploitability of the reported vulnerability.

SSRF
NVD GitHub VulDB
EPSS 0% CVSS 5.5
MEDIUM POC This Month

Server-side request forgery (SSRF) in BuildingAI up to version 26.0.1 allows remote unauthenticated attackers to abuse the Remote Upload API's uploadRemoteFile function by manipulating the url parameter, enabling unauthorized access to internal resources, data exfiltration from cloud metadata services, and potential pivoting to internal network systems. A publicly available exploit exists (GitHub issue #110), but the vendor has not responded to disclosure. CVSS 7.3 with EPSS data unavailable; exploitation requires no authentication and low attack complexity (AV:N/AC:L/PR:N/UI:N), making this a high-priority remediation target despite unknown CISA KEV status.

SSRF Buildingai
NVD VulDB GitHub
EPSS 0% CVSS 5.5
MEDIUM POC This Month

Server-side request forgery in Typecho's Pingback Service (versions up to 1.3.0) allows remote unauthenticated attackers to force the server to make arbitrary HTTP requests to internal or external resources. The vulnerability resides in Service::sendPingHandle() function where attacker-controlled X-Pingback and link parameters bypass validation. Public exploit code exists (documented in researcher blog post), enabling immediate weaponization. CVSS 7.3 reflects network-accessible attack with no authentication required. EPSS data not available, but public POC significantly elevates real-world risk. Vendor non-responsive to early disclosure.

PHP SSRF
NVD VulDB
EPSS 0% CVSS 2.0
LOW POC Monitor

Server-side request forgery (SSRF) in Pagekit up to version 1.0.18 allows authenticated high-privilege administrators to manipulate the url parameter in the /index.php/admin/system/update/download endpoint, enabling them to force the server to make arbitrary HTTP requests to internal or external systems. Publicly available exploit code exists, and the vendor did not respond to early disclosure efforts.

PHP SSRF
NVD VulDB
EPSS 0% CVSS 2.1
LOW POC Monitor

Server-side request forgery (SSRF) in AiraHub2 allows authenticated remote attackers to manipulate the connect_stream_endpoint and sync_agents functions in AiraHub.py, enabling arbitrary HTTP requests to internal or external systems. The vulnerability affects multiple endpoints and has publicly available exploit code; however, the vendor has not responded to disclosure attempts and uses a rolling release model, making patch status unclear.

SSRF Airahub2
NVD VulDB GitHub
EPSS 0% CVSS 2.1
LOW POC Monitor

Server-side request forgery (SSRF) in devlikeapro WAHA up to version 2026.3.4 allows authenticated remote attackers to forge requests from the server via the media.controller.ts API endpoint, enabling potential reconnaissance, internal resource access, and lateral movement attacks. Publicly available exploit code exists and the vendor has not responded to disclosure efforts.

SSRF Waha
NVD VulDB GitHub
EPSS 0% CVSS 3.1
LOW PATCH Monitor

LangChain is a framework for building agents and LLM-powered applications. Prior to 1.1.14, langchain-openai's _url_to_size() helper (used by get_num_tokens_from_messages for image token counting) validated URLs for SSRF protection and then fetched them in a separate network operation with independent DNS resolution. This left a TOCTOU / DNS rebinding window: an attacker-controlled hostname could resolve to a public IP during validation and then to a private/localhost IP during the actual fetch.

SSRF Langchain Openai
NVD GitHub VulDB
EPSS 0% CVSS 6.5
MEDIUM PATCH This Month

LangChain is a framework for building agents and LLM-powered applications. Prior to langchain-text-splitters 1.1.2, HTMLHeaderTextSplitter.split_text_from_url() validated the initial URL using validate_safe_url() but then performed the fetch with requests.get() with redirects enabled (the default). Because redirect targets were not revalidated, a URL pointing to an attacker-controlled server could redirect to internal, localhost, or cloud metadata endpoints, bypassing SSRF protections. The response body is parsed and returned as Document objects to the calling application code. Whether this constitutes a data exfiltration path depends on the application: if it exposes Document contents (or derivatives) back to the requester who supplied the URL, sensitive data from internal endpoints could be leaked. Applications that store or process Documents internally without returning raw content to the requester are not directly exposed to data exfiltration through this issue. This vulnerability is fixed in 1.1.2.

Information Disclosure SSRF Langchain Text Splitters
NVD GitHub VulDB
EPSS 0% CVSS 6.8
MEDIUM POC PATCH This Month

Axios versions prior to 1.15.1 and 0.31.1 fail to properly bypass proxy configurations when no_proxy=localhost is set, allowing attackers to route requests to loopback addresses (127.0.0.1 and [::1]) through proxy servers instead of bypassing them. This Server-Side Request Forgery (SSRF) vulnerability arises because the shouldBypassProxy() function performs only string matching without resolving IP aliases or loopback equivalents, potentially exposing internal services to proxy interception or manipulation with a CVSS score of 6.8 (high confidentiality impact over changed scope).

Node.js SSRF Red Hat
NVD GitHub VulDB
Awaiting Data

Pre-NVD disclosure via oss-security: oss-security mailing list - 2026/04/13. erates session ids insecurely (Robert Rothenberg <rrwo@...nsec.org>) CVE-2025-54057: Apache SkyWalking: Stored XSS vulnerability (Zhenxu Ke <kezhenxu94@...che.org>) CVE-2026-34476: Apache SkyWalking MCP: Server-Side Request Forgery via SW-URL Header in MCP Server (Qiuxia Fan <qiuxiafan@...che.org>) CVE-2026-34884: Apache SkyWalking MCP: SSRF via set_skywalking_url Tool and GraphQL Expression Injection in MCP Server (Qiuxia Fan <qiuxiafan@...che.org>) CVE-2025-66236: Apache Airflow: Secrets from Airflow config file logged in plain text in DAG run logs UI (Rahul Vats <rahulvats@...che.org>) CVE-2026-33858: Ap

SSRF XSS Apache
NVD
EPSS 0% CVSS 4.9
MEDIUM PATCH This Month

Server-Side Request Forgery in Xibo CMS prior to version 4.4.1 allows high-privilege authenticated users with DataSet permissions to make arbitrary HTTP requests from the CMS server to internal or external resources, enabling infrastructure reconnaissance, cloud metadata access (e.g., AWS IMDS), and potential data exfiltration. Exploitation requires both 'Add DataSet' privilege and DataSet management capabilities, which are not default non-admin permissions, limiting the attack surface to trusted insiders or compromised administrative accounts.

Microsoft SSRF
NVD GitHub VulDB
EPSS 0% CVSS 5.1
MEDIUM PATCH This Month

OpenClaw before 2026.3.28 contains an SSRF guard bypass vulnerability that fails to block four IPv6 special-use ranges. Attackers can exploit this by crafting URLs targeting internal or non-routable IPv6 addresses to bypass SSRF protections.

SSRF Openclaw
NVD GitHub VulDB
EPSS 0% CVSS 2.2
LOW PATCH Monitor

## Summary The `fetch()` call for remote images in `packages/integrations/cloudflare/src/utils/image-binding-transform.ts` (line 28) uses the default `redirect: 'follow'` behavior. This allows the Cloudflare Worker to follow HTTP redirects to arbitrary URLs, bypassing the `isRemoteAllowed()` domain allowlist check which only validates the initial URL. All three other image fetch paths in the codebase correctly use `{ redirect: 'manual' }`. This is an incomplete fix for GHSA-qpr4-c339-7vq8. Confirmed on HEAD. ## Root Cause `image-binding-transform.ts` line 28: const content = await (isRemotePath(href) ? fetch(imageSrc) : assets.fetch(imageSrc)); Missing `{ redirect: 'manual' }`. The three protected paths: // image-passthrough-endpoint.ts:23 response = await fetch(href, { redirect: 'manual' }); // assets/endpoint/shared.ts:11 const res = await fetch(src, { redirect: 'manual' }); // assets/utils/remoteProbe.ts:53 const response = await fetch(url, { redirect: 'manual' }); ## PoC Demonstrated with Node.js that `fetch()` without `redirect: 'manual'` follows 302 redirects to arbitrary destinations: # Server A (allowed domain) returns 302 → Server B (internal) fetch('http://allowed:19741/img.jpg') → follows 302 → hits http://internal:19742/secret fetch('http://allowed:19741/img.jpg', {redirect:'manual'}) → returns 302, internal server NOT hit Attack path: attacker finds an open redirect on an allowed domain, crafts `/_image?href=https://allowed-cdn.com/redirect?url=http://internal-service/`, and the Worker follows the redirect to the unauthorized destination. ## Impact Bypasses the `image.domains` and `image.remotePatterns` allowlist for the default Cloudflare image service (`cloudflare-binding`). Enables blind SSRF to domains not in the allowlist. Same vulnerability class as GHSA-qpr4-c339-7vq8 (HIGH) which fixed the passthrough endpoint but missed this one. ## Suggested Fix const content = await (isRemotePath(href) ? fetch(imageSrc, { redirect: 'manual' }) : assets.fetch(imageSrc));

Node.js SSRF Open Redirect +1
NVD GitHub
EPSS 0% CVSS 10.0
CRITICAL PATCH NO ACTION HOSTED Monitor

Server-side request forgery (ssrf) in Microsoft Entra ID Entitlement Management allows an unauthorized attacker to perform spoofing over a network.

Microsoft SSRF
NVD
EPSS 0% CVSS 8.6
HIGH PATCH NO ACTION HOSTED Monitor

Server-side request forgery (ssrf) in Microsoft Purview allows an unauthorized attacker to elevate privileges over a network.

Microsoft SSRF
NVD
EPSS 0% CVSS 9.3
CRITICAL PATCH NO ACTION HOSTED Monitor

Server-side request forgery (ssrf) in Microsoft Dynamics 365 (Online) allows an unauthorized attacker to perform spoofing over a network.

Microsoft SSRF
NVD
EPSS 0% CVSS 8.3
HIGH PATCH This Week

Flowise is a drag & drop user interface to build a customized large language model flow. Prior to 3.1.0, a Server-Side Request Forgery (SSRF) vulnerability exists in FlowiseAI's POST/GET API Chain components that allows unauthenticated attackers to force the server to make arbitrary HTTP requests to internal and external systems. By injecting malicious prompt templates, attackers can bypass the intended API documentation constraints and redirect requests to sensitive internal services, potentially leading to internal network reconnaissance and data exfiltration. This vulnerability is fixed in 3.1.0.

SSRF Flowise Flowise Components
NVD GitHub VulDB
EPSS 0% CVSS 7.1
HIGH PATCH This Week

Flowise is a drag & drop user interface to build a customized large language model flow. Prior to 3.1.0, the core security wrappers (secureAxiosRequest and secureFetch) intended to prevent Server-Side Request Forgery (SSRF) contain multiple logic flaws. These flaws allow attackers to bypass the allow/deny lists via DNS Rebinding (Time-of-Check Time-of-Use) or by exploiting the default configuration which fails to enforce any deny list. This vulnerability is fixed in 3.1.0.

SSRF Flowise Flowise Components
NVD GitHub VulDB
EPSS 0% CVSS 7.1
HIGH PATCH This Week

Flowise is a drag & drop user interface to build a customized large language model flow. Prior to 3.1.0, a Server-Side Request Forgery (SSRF) protection bypass vulnerability exists in the Custom Function feature. While the application implements SSRF protection via HTTP_DENY_LIST for axios and node-fetch libraries, the built-in Node.js http, https, and net modules are allowed in the NodeVM sandbox without equivalent protection. This allows authenticated users to bypass SSRF controls and access internal network resources (e.g., cloud provider metadata services) This vulnerability is fixed in 3.1.0.

Node.js Authentication Bypass SSRF
NVD GitHub VulDB
EPSS 0% CVSS 6.3
MEDIUM This Month

SocialEngine versions 7.8.0 and prior contain a blind server-side request forgery vulnerability in the /core/link/preview endpoint where user-supplied input passed via the uri request parameter is not sanitized before being used to construct outbound HTTP requests. Authenticated remote attackers can supply arbitrary URLs including internal network addresses and loopback addresses to cause the server to issue HTTP requests to attacker-controlled destinations, enabling internal network enumeration and access to services not intended to be externally reachable.

SSRF Socialengine
NVD VulDB
EPSS 0% CVSS 5.5
MEDIUM PATCH This Month

Blind Server-Side Request Forgery (SSRF) in Squidex prior to version 7.23.0 allows authenticated administrators to force the backend server to interact with the local filesystem via the `file://` protocol in the Restore API's `Url` parameter, potentially disclosing sensitive system information through side-channel analysis of internal logs. No public exploit code or active exploitation has been identified at time of analysis.

SSRF Squidex
NVD GitHub
EPSS 0% CVSS 7.3
HIGH PATCH This Week

Server-Side Request Forgery in Squidex versions prior to 7.23.0 allows authenticated users with asset upload permissions to force the CMS server to fetch arbitrary URLs, including internal network resources and localhost endpoints, storing the retrieved content as platform assets. This enables reconnaissance of internal infrastructure, exfiltration of cloud metadata endpoints (AWS/Azure credentials), and access to services not exposed to the internet. CVSS 7.3 (High) with CVSS 4.0 E:P (Proof-of-concept exists). Vendor patch available in version 7.23.0 per GitHub security advisory GHSA-x7cq-4f4c-8qcv.

SSRF Squidex
NVD GitHub
EPSS 0% CVSS 7.3
HIGH PATCH This Week

Server-Side Request Forgery (SSRF) in Squidex versions before 7.23.0 allows authenticated users with schema editing permissions to force the server to make arbitrary HTTP requests to internal services and cloud metadata endpoints through the Jint scripting engine. The vulnerability can expose cloud provider credentials (e.g., AWS IMDS) and enable lateral movement within internal networks. Exploitation requires only low-privilege authentication (PR:L) and has publicly available exploit code (E:P in CVSS 4.0 vector). Vendor-confirmed patch available in version 7.23.0.

SSRF Squidex
NVD GitHub
EPSS 0% CVSS 7.2
HIGH PATCH This Week

Server-Side Request Forgery in Squidex's backup restoration endpoint allows authenticated administrators to probe internal network services and access cloud metadata endpoints. The RestoreController.PostRestoreJob endpoint accepts arbitrary URLs without SSRF protection, enabling internal reconnaissance through the application's HTTP client. Exploitation requires high privileges (admin authentication) but grants access to confidential internal resources and sensitive cloud service metadata. Version 7.23.0 patches this vulnerability. EPSS exploitation probability and active exploitation status are not reported in available intelligence.

SSRF Squidex
NVD GitHub
EPSS 0% CVSS 6.3
MEDIUM PATCH This Month

Server-side request forgery in WeKan before 8.35 allows authenticated users to create or modify webhook integrations with arbitrary URLs, enabling the server to issue HTTP POST requests to internal network addresses and attacker-controlled targets. The vulnerability additionally permits unauthorized modification of comment text through response handling, affecting systems where users have integration management privileges. No active exploitation has been confirmed at time of analysis.

SSRF Wekan
NVD GitHub
EPSS 0% CVSS 8.3
HIGH PATCH This Week

Server-side request forgery in monetr's Lunch Flow integration allows authenticated users on self-hosted instances to force the server to issue HTTP GET requests to arbitrary URLs, with response bodies from failed requests reflected in API error messages. This enables information disclosure attacks against internal networks, cloud metadata endpoints (AWS EC2 instance metadata without IMDSv2), and RFC1918 private addresses. The vulnerability is compounded by unbounded response buffering that creates a denial-of-service vector via memory exhaustion. Patch available in v1.12.5. The hosted my.monetr.app service is not affected as Lunch Flow is disabled there. Self-hosted instances with default configuration (Lunch Flow enabled, public signup allowed) are at highest risk.

Information Disclosure SSRF
NVD GitHub
EPSS 0% CVSS 8.3
HIGH PATCH This Week

# Missing Admin Auth on Notification Target Endpoints in RustFS ### Finding Summary All four notification target admin API endpoints in `rustfs/src/admin/handlers/event.rs` use a `check_permissions` helper that validates authentication only (access key + session token), without performing any admin-action authorization via `validate_admin_request`. Every other admin handler in the codebase correctly calls `validate_admin_request` with a specific `AdminAction`. This is the only admin handler file that skips authorization. A non-admin user can overwrite a shared admin-defined notification target by name, causing subsequent bucket events to be delivered to an attacker-controlled endpoint. This enables cross-user event interception and audit evasion. ### What Was Proven Live 1. **Authorization bypass on all four endpoints** (03_readonly_user_bypass.py) - PUT, GET list, GET arns, DELETE all return 200 for readonly-user - Control routes (list-users, kms/status) correctly return 403 - Unauthenticated requests correctly rejected (403 Signature required) 2. **SSRF via health probe** (04_ssrf_listener_landing.py) - HEAD request from rustfs container to attacker-controlled listener - No host validation: only scheme check (http/https) 3. **Target hijacking and event exfiltration** (05_target_hijacking.py, 06_full_event_exfil.py) - Readonly-user overwrites admin-configured target URL by name - Subsequent S3 events delivered to attacker-controlled endpoint - Captured event body includes object keys, bucket names, user identities, and request metadata 4. **Audit evasion** (05_target_hijacking.py) - Readonly-user can delete unbound targets - Readonly-user can overwrite bound targets (silently redirecting events) ### Escalation Vectors Tested But Not Viable 1. **Self-referencing webhook to admin API** (13_self_referencing_test.py) - Webhook sends unsigned POST with event JSON body - Admin endpoints require SigV4 auth -- unsigned request rejected - "Confused deputy" via self-referencing does NOT work 2. **Protocol smuggling via non-HTTP targets** - Only 2 target types implemented: webhook and MQTT (`event.rs:613` enforces this) - No Redis, Kafka, AMQP, or other protocol targets exist - CRLF injection in webhook config fields sanitized by reqwest - MQTT uses rumqttc (pure Rust binary protocol client), no raw TCP injection 3. **MQTT target for RCE** - No unsafe code in MQTT handler - rumqttc 0.29.0 has no known public CVEs - No Command::new, template engines, or deserialization of broker responses 4. **Unauth access** - Endpoints correctly reject unauthenticated requests (403) - Endpoints correctly reject invalid credentials (403) ### Prior Art No existing advisory covers notification target endpoints. 11 published GHSAs on rustfs/rustfs cover different handlers. Closest: - CVE-2026-22042 (ImportIam wrong action constant) -- same bug class, different file - CVE-2026-22043 (deny_only short-circuit) -- different bug class ### Recommendation Submit via GitHub PVR. The finding is well-supported with live PoC, code references, and clear root cause. The fix is straightforward (add `validate_admin_request` calls to event.rs handlers). Core submission should reference 2-3 focused PoC scripts (readonly bypass, target hijack, event exfil), not the full set of 13 exploratory scripts. Koda Reef ### Patch This issue has been patched in version https://github.com/rustfs/rustfs/releases/tag/1.0.0-alpha.94.

SSRF Deserialization Authentication Bypass +1
NVD GitHub
EPSS 0% CVSS 5.5
MEDIUM PATCH This Month

Server-Side Request Forgery (SSRF) in Craft CMS 4.x through 4.17.8 and 5.x through 5.9.14 allows unauthenticated attackers to proxy arbitrary remote HTTP requests via the `resource-js` endpoint when `trustedHosts` is not explicitly configured. By manipulating the Host header, attackers can control the derived `baseUrl` used in validation, bypassing prefix checks and forcing the server to issue requests to arbitrary destinations. Patch versions 4.17.9 and 5.9.15 address the vulnerability.

SSRF
NVD GitHub
EPSS 0% CVSS 5.5
MEDIUM PATCH This Month

Server-Side Request Forgery in Craft CMS 4.x through 4.17.8 and 5.x through 5.9.14 allows authenticated users with asset management permissions to request arbitrary URLs via the GraphQL API, potentially exposing internal services or performing actions on behalf of the CMS server. Exploitation requires high-privilege role assignments ('Edit assets' and 'Create assets' in a volume) and is patched in versions 4.17.9 and 5.9.15. EPSS score indicates moderate exploitation probability despite high CVSS, suggesting this is primarily a risk in multi-user CMS deployments where privilege separation is weak.

SSRF
NVD GitHub
EPSS 0% CVSS 8.5
HIGH This Week

Server-Side Request Forgery in guardsix (formerly Logpoint) ODBC Enrichment Plugins allows authenticated Operator users to redirect stored database credentials to arbitrary internal systems by modifying connection endpoints without clearing cached credentials. The vulnerability affects versions before 5.2.1 and enables credential misuse against unintended internal databases despite Changed Scope (CVSS S:C) indicating potential cross-boundary impact. EPSS and exploitation data not available; SSVC indicates no known exploitation, non-automatable attack requiring low-privilege authentication, with partial technical impact to confidentiality and integrity.

SSRF
NVD VulDB
EPSS 0% CVSS 8.9
HIGH PATCH This Week

A server-side request forgery (SSRF) vulnerability was identified in GitHub Enterprise Server that allowed an attacker to extract sensitive environment variables from the instance through a timing side-channel attack against the notebook rendering service. When private mode was disabled, the notebook viewer followed HTTP redirects without revalidating the destination host, enabling an unauthenticated SSRF to internal services. By chaining this with regex filter queries against an internal API and measuring response time differences, an attacker could infer secret values character by character. Exploitation required that private mode be disabled and that the attacker be able to chain the instance's open redirect endpoint through an external redirect to reach internal services. This vulnerability affected all versions of GitHub Enterprise Server prior to 3.21 and was fixed in versions 3.14.26, 3.15.21, 3.16.17, 3.17.14, 3.18.8, 3.19.5, and 3.20.1. This vulnerability was reported via the GitHub Bug Bounty program.

SSRF Open Redirect
NVD GitHub
EPSS 0% CVSS 7.7
HIGH This Week

WWBN AVideo is an open source video platform. In versions 29.0 and below, the `isSSRFSafeURL()` function in `objects/functions.php` contains a same-domain shortcircuit (lines 4290-4296) that allows any URL whose hostname matches `webSiteRootURL` to bypass all SSRF protections. Because the check compares only the hostname and ignores the port, an attacker can reach arbitrary ports on the AVideo server by using the site's public hostname with a non-standard port. The response body is saved to a web-accessible path, enabling full exfiltration. Commit a0156a6398362086390d949190f9d52a823000ba fixes the issue.

PHP SSRF
NVD GitHub
EPSS 0% CVSS 8.6
HIGH This Week

WWBN AVideo is an open source video platform. In versions 29.0 and below, an incomplete SSRF fix in AVideo's LiveLinks proxy adds `isSSRFSafeURL()` validation but leaves DNS TOCTOU vulnerabilities where DNS rebinding between validation and the actual HTTP request redirects traffic to internal endpoints. Commit 8d8fc0cadb425835b4861036d589abcea4d78ee8 contains an updated fix.

SSRF Avideo
NVD GitHub
EPSS 0% CVSS 2.1
LOW POC Monitor

Server-side request forgery in Bagisto's Downloadable Link Handler component (versions up to 2.3.15) allows authenticated remote attackers to perform arbitrary HTTP requests on behalf of the server, potentially enabling access to internal resources, metadata services, or information disclosure. The vulnerability has publicly available exploit code and affects the copy function with low-to-moderate CVSS score (5.3) but concrete real-world impact if internal services are exposed. Vendor acknowledges the issue and states fixes are coming in upcoming releases.

SSRF Bagisto
NVD VulDB
EPSS 0% CVSS 4.1
MEDIUM PATCH This Month

Server-Side Request Forgery (SSRF) in FreeScout versions before 1.8.213 allows authenticated administrators to probe internal networks and fingerprint services via unvalidated IMAP and SMTP connection test functionality. Three AJAX actions in MailboxesController pass attacker-controlled server hostnames and ports directly to fsockopen() and protocol clients without IP validation, hostname restrictions, or internal-range blocklists, enabling port scanning and service banner disclosure through IMAP debug logs and AJAX responses. The vulnerability requires admin authentication but affects confidentiality of internal infrastructure.

PHP SSRF
NVD GitHub
EPSS 0% CVSS 4.8
MEDIUM PATCH This Month

OpenClaw before version 2026.3.31 contains a server-side request forgery (SSRF) vulnerability in the marketplace plugin download functionality, where unguarded fetch() calls allow authenticated users with user interaction to make arbitrary network requests on behalf of the affected system. Remote attackers can access internal resources or interact with external services, potentially disclosing sensitive data or compromising internal infrastructure; no public exploit code or active exploitation has been identified at time of analysis.

SSRF Openclaw
NVD GitHub VulDB
EPSS 0% CVSS 4.8
MEDIUM PATCH This Month

OpenClaw before version 2026.3.31 allows authenticated users to exploit server-side request forgery (SSRF) through unvalidated HTTP redirects in the marketplace plugin download functionality, enabling access to internal resources and potential information disclosure. The marketplace.ts module fails to validate redirect destinations during archive downloads, permitting remote attackers with valid credentials and user interaction to redirect requests to arbitrary internal or external servers. Real-world exploitation is limited by authentication and interaction requirements, keeping the baseline CVSS at 4.8 (medium), though impact depends on network exposure of internal services.

SSRF Openclaw
NVD GitHub VulDB
EPSS 0% CVSS 7.3
HIGH PATCH This Week

Server-Side Request Forgery in Glances IP plugin allows authenticated attackers to force the monitoring application to send HTTP requests to arbitrary internal or external endpoints, with automatic credential leakage when public_username and public_password are configured. The vulnerability affects all versions prior to 4.5.4 and arises from insufficient validation of the public_api configuration parameter. EPSS exploitation probability is low (0.04%, 12th percentile), but SSVC framework confirms proof-of-concept availability and automatable exploitation with partial technical impact. Vendor patch released in version 4.5.4.

SSRF Information Disclosure Suse
NVD GitHub
EPSS 0% CVSS 7.5
HIGH POC PATCH This Week

Server-Side Request Forgery (SSRF) in InternLM LMDeploy's vision-language module allows remote unauthenticated attackers to access cloud metadata services, internal networks, and sensitive resources through unvalidated URL fetching in the load_image() function. Affects all versions prior to 0.12.3. EPSS score not available; no public exploit identified at time of analysis. Patch released in version 0.12.3.

SSRF Lmdeploy
NVD GitHub VulDB
EPSS 0% CVSS 5.8
MEDIUM PATCH This Month

Server-Side Request Forgery in Vexa meeting bot allows unauthenticated remote attackers to forge HTTP POST requests to arbitrary internal URLs (Redis, databases, cloud metadata endpoints) via unvalidated webhook configuration, enabling credential theft and lateral movement. CVSS 5.8 with network attack vector and no user interaction required. Fixed in version 0.10.0-260419-1910.

SSRF Redis
NVD GitHub
EPSS 0% CVSS 8.3
HIGH PATCH This Week

Server-Side Request Forgery in Vvveb CMS versions prior to 1.0.8.1 allows authenticated backend users to read arbitrary local files via file:// URLs or probe internal network services via http:// URLs through the oEmbedProxy action's unvalidated url parameter. The vulnerability (CWE-918) enables information disclosure from the web server's filesystem and internal network reconnaissance. Patch available in version 1.0.8.1. EPSS data not provided; no CISA KEV listing indicates no confirmed widespread exploitation at time of analysis.

SSRF Vvveb
NVD GitHub
EPSS 0% CVSS 2.1
LOW POC Monitor

Server-side request forgery in Qibo CMS 1.0 allows authenticated remote attackers to manipulate the 'starts' parameter in /index/image/headers endpoint, triggering arbitrary internal requests from the server. Publicly available exploit code exists. The vendor did not respond to early disclosure notification, leaving no patched version available.

SSRF Cms
NVD VulDB
EPSS 0% CVSS 5.5
MEDIUM POC This Month

Server-side request forgery (SSRF) in Mogu Blog v2 up to version 5.2 allows unauthenticated remote attackers to initiate arbitrary HTTP requests from the affected server through the picture upload functionality. The vulnerability exists in the LocalFileServiceImpl.uploadPictureByUrl method within the Picture Storage Service component, enabling attackers to access internal services, scan internal networks, or exfiltrate sensitive data. Publicly available exploit code exists, and the vendor has not responded to early disclosure notifications.

SSRF Java
NVD VulDB GitHub
EPSS 0% CVSS 2.1
LOW POC Monitor

Server-side request forgery in Dify up to version 1.13.3 allows authenticated remote attackers to manipulate the URL argument in the ApiBasedToolSchemaParser component, enabling arbitrary HTTP requests from the server to internal or external systems. The vulnerability affects the parse_openai_plugin_json_to_tool_bundle function in api/core/tools/utils/parser.py. Publicly available exploit code exists, and the vendor has not responded to early disclosure notification.

SSRF Dify
NVD VulDB GitHub
EPSS 0% CVSS 2.1
LOW POC Monitor

Server-side request forgery (SSRF) in Dify's ApiToolManageService allows authenticated remote attackers to manipulate the URL argument in the get_api_tool_provider_remote_schema function, enabling them to make arbitrary HTTP requests from the server. Affects Dify versions up to 0.6.9. Publicly available exploit code exists, and the vendor has not responded to early disclosure attempts.

SSRF Dify
NVD VulDB GitHub
EPSS 0% CVSS 2.1
LOW POC Monitor

Server-side request forgery (SSRF) in TransformerOptimus SuperAGI up to version 0.0.14 allows authenticated remote attackers to manipulate the WebScraperTool's webpage extraction functions (extract_with_bs4, extract_with_3k, extract_with_lxml) to forge requests to arbitrary servers. The vulnerability has publicly available exploit code and low vendor responsiveness, creating immediate risk for deployments using affected versions.

SSRF Superagi
NVD VulDB GitHub
EPSS 0% CVSS 5.5
MEDIUM POC This Month

Modelscope AgentScope versions up to 1.0.18 contain a server-side request forgery (SSRF) vulnerability in the _process_audio_block function that allows remote unauthenticated attackers to manipulate the 'url' argument and trigger arbitrary HTTP requests from the vulnerable server. Publicly available exploit code exists, and the vendor has not responded to disclosure attempts, leaving affected deployments without an official patch.

SSRF Agentscope
NVD VulDB GitHub
EPSS 0% CVSS 5.5
MEDIUM POC This Month

Server-side request forgery in ModelScope AgentScope up to version 1.0.18 allows remote unauthenticated attackers to manipulate the _get_bytes_from_web_url function in src/agentscope/_utils/_common.py, enabling them to make arbitrary HTTP requests from the affected server. Publicly available exploit code exists, and the vendor has not responded to early disclosure attempts, leaving affected installations vulnerable to attackers probing internal networks and services.

SSRF Agentscope
NVD VulDB GitHub
EPSS 0% CVSS 5.5
MEDIUM POC This Month

Server-side request forgery (SSRF) in ModelScope AgentScope up to version 1.0.18 allows remote unauthenticated attackers to manipulate image_url and audio_file_url parameters in the _parse_url, prepare_image, and openai_audio_to_text functions, enabling arbitrary HTTP requests from the affected server. The vulnerability has publicly available exploit code and affects the Cloud Metadata Endpoint component. The vendor has not responded to early disclosure attempts, and exploitation is confirmed to be possible with low attack complexity.

SSRF Agentscope
NVD VulDB GitHub
EPSS 0% CVSS 2.1
LOW POC Monitor

Server-side request forgery in vibrantlabsai RAGAS up to version 0.4.3 allows authenticated remote attackers to manipulate the retrieved_contexts argument in the Collections Module's _try_process_local_file and _try_process_url functions, enabling arbitrary file reads and network requests with the application's privileges. Publicly available exploit code exists; the vendor has not responded to early disclosure attempts despite the security patch for related CVE-2025-45691 being applied to a different module only.

SSRF Ragas
NVD VulDB
EPSS 0% CVSS 2.1
LOW POC Monitor

Server-side request forgery in PHPEMS 11.0 allows authenticated remote attackers to manipulate the uploadfile parameter in the Instant Exam Creation Handler component, enabling SSRF attacks that can access internal resources or perform unauthorized requests from the server. The vulnerability affects the temppage function in /app/exam/controller/exams.master.php and has public exploit code available, though exploitation requires valid user credentials (PR:L).

PHP SSRF
NVD VulDB
EPSS 0% CVSS 7.7
HIGH PATCH This Week

Server-Side Request Forgery in Movary movie tracking application allows authenticated users to probe internal networks and metadata endpoints. The /settings/jellyfin/server-url-verify endpoint accepts user-controlled URLs without validating against private IP ranges, enabling internal reconnaissance through the server's context. Affects all versions prior to 0.71.1. EPSS data not available, but exploitation requires only low-privilege authentication (CVSS PR:L) with no attack complexity, making this readily exploitable by any registered user. Upstream fix confirmed in version 0.71.1 via GitHub commit d459b35.

SSRF Movary
NVD GitHub VulDB
EPSS 0% CVSS 2.3
LOW PATCH Monitor

mcp-neo4j-cypher before version 0.6.0 allows authenticated users to bypass read-only mode enforcement via APOC CALL procedures, enabling unauthorized write operations and server-side request forgery against Neo4j databases. The vulnerability requires login credentials and attacker preparation (CVSS AT:P), limiting real-world risk to insider threats or compromised accounts with legitimate access to the MCP server.

Authentication Bypass SSRF Mcp Neo4J
NVD GitHub VulDB
EPSS 0% CVSS 7.8
HIGH PATCH This Week

Server-Side Request Forgery in OpenHarness AI agent framework (pre-commit bd4df81) permits remote unauthenticated attackers to manipulate web_fetch and web_search tool parameters, forcing the agent to make HTTP requests to internal infrastructure including RFC1918 private networks, localhost services, and cloud metadata endpoints (e.g., AWS EC2 169.254.169.254). Changed scope (S:C) in CVSS vector indicates potential for pivoting beyond the vulnerable application's trust boundary. EPSS data unavailable; no public exploit identified at time of analysis, though exploitation technique is well-understood for SSRF class vulnerabilities. Patch available via GitHub commit bd4df81.

SSRF Openharness
NVD GitHub VulDB
EPSS 0% CVSS 2.1
LOW POC Monitor

Server-side request forgery (SSRF) in TinyFileManager file upload handler (versions up to 2.6) allows authenticated remote attackers to manipulate the uploadurl parameter and forge requests to arbitrary servers. The vulnerability affects the /filemanager.php?p=&ajax=true&type=upload endpoint and has publicly available exploit code; the vendor has not responded to disclosure attempts.

PHP SSRF File Upload
NVD VulDB
EPSS 0% CVSS 6.9
MEDIUM PATCH This Month

GREENmod before 2.8.33 allows remote code execution and server-side request forgery via incorrectly configured named pipes that accept unauthenticated XML or JSON file uploads, processing them with service-level privileges on Windows systems. An attacker on the network can abuse this to trigger SSRF attacks against SMB or WebDAV targets accessible to the service account, potentially compromising internal Windows infrastructure without authentication.

SSRF Microsoft
NVD
EPSS 0% CVSS 5.3
MEDIUM PATCH This Month

Server-side request forgery (SSRF) in HashiCorp Vault's PKI engine ACME validation allows unauthenticated remote attackers to send http-01 and tls-alpn-01 challenge requests to local network targets by controlling DNS responses, potentially disclosing sensitive information from internal services. The vulnerability affects Vault Community Edition before 2.0.0 and Vault Enterprise before 1.19.16, 1.20.10, or 1.21.5. HashiCorp has released patched versions; no public exploit code has been identified at the time of analysis.

SSRF Hashicorp Information Disclosure
NVD
EPSS 0% CVSS 7.5
HIGH This Week

Server-Side Request Forgery (SSRF) in Craftql PHP library versions 1.3.7 and earlier enables remote attackers to force the server to make unintended requests, potentially leading to arbitrary code execution. The vulnerability resides in the GetAssetsFieldSchema.php listener component. No active exploitation is confirmed (not in CISA KEV), but a proof-of-concept repository with detailed exploitation documentation exists on GitHub. Despite the CVSS 7.5 rating, the extremely low EPSS score (0.01%, 0th percentile) indicates minimal real-world exploitation activity observed to date. The description claims RCE capability, but the CVSS vector shows only confidentiality impact (C:H/I:N/A:N), suggesting the SSRF may enable information disclosure that could chain into RCE rather than direct code execution - verification with vendor advisories needed.

PHP SSRF RCE +1
NVD GitHub VulDB
EPSS 0% CVSS 6.1
MEDIUM POC This Month

ProcessWire CMS version 3.0.255 and prior contain a server-side request forgery vulnerability in the admin panel's 'Add Module From URL' feature that allows authenticated administrators to supply arbitrary URLs to the module download parameter, causing the server to issue outbound HTTP requests to attacker-controlled internal or external hosts. Attackers can exploit differentiable error messages returned by the server to perform reliable internal network port scanning, host enumeration across RFC-1918 ranges, and potential access to cloud instance metadata endpoints.

SSRF Processwire
NVD GitHub VulDB
EPSS 0% CVSS 6.4
MEDIUM PATCH This Month

## Summary NocoBase's workflow HTTP request plugin and custom request action plugin make server-side HTTP requests to user-provided URLs without any SSRF protection. An authenticated user can access internal network services, cloud metadata endpoints, and localhost. ## Vulnerable Code ### 1. Workflow HTTP Request Plugin **`packages/plugins/@nocobase/plugin-workflow-request/src/server/RequestInstruction.ts` lines 117-128:** ```typescript return axios.request({ url: trim(url), // User-controlled, no validation method, headers, params, timeout, ...(method.toLowerCase() !== 'get' && data != null ? { data: transformer ? await transformer(data) : data } : {}), }); ``` The `url` at line 98 comes directly from user workflow configuration with only whitespace trimming. ### 2. Custom Request Action Plugin **`packages/plugins/@nocobase/plugin-action-custom-request/src/server/actions/send.ts` lines 172-198:** ```typescript const axiosRequestConfig = { baseURL: ctx.origin, ...options, url: getParsedValue(url, variables), // User-controlled via template headers: { ... }, params: getParsedValue(arrayToObject(params), variables), data: getParsedValue(toJSON(data), variables), }; const res = await axios(axiosRequestConfig); // No IP validation ``` ## Missing Protections - No `request-filtering-agent` or SSRF library (confirmed via grep across entire codebase) - No private IP range filtering - No cloud metadata endpoint blocking - No URL scheme validation - No DNS rebinding protection ## Attack Scenario 1. Authenticated user creates a workflow with HTTP Request node 2. Sets URL to `http://169.254.169.254/latest/meta-data/iam/security-credentials/` 3. Triggers the workflow 4. Server fetches AWS metadata and returns IAM credentials in workflow execution logs Alternatively via Custom Request action: 1. Create custom request with URL `http://127.0.0.1:5432` or `http://10.0.0.1:8080/admin` 2. Execute the action 3. Server makes request to internal service ## Impact - **Cloud metadata theft**: AWS/GCP/Azure credentials via metadata endpoints - **Internal network access**: Scan and interact with services on private IP ranges - **Database access**: Connect to localhost databases (PostgreSQL, Redis, etc.) - **Authentication required**: Yes (authenticated user), but any workspace member can create workflows

PostgreSQL SSRF Microsoft +1
NVD GitHub VulDB
EPSS 0% CVSS 7.6
HIGH PATCH This Week

### Summary The Velbus asset import path parses attacker-controlled XML without explicit XXE hardening. An authenticated user who can call the import endpoint may trigger XML external entity processing, which can lead to server-side file disclosure and SSRF. The target file must be less than 1023 characters. ### Details Velbus import uses `DocumentBuilderFactory.newInstance().newDocumentBuilder().parse(...)` on untrusted XML input, without explicit safeguards to disable DTD/external entities. ```154:165:agent/src/main/java/org/openremote/agent/protocol/velbus/AbstractVelbusProtocol.java @Override public Future<Void> startAssetImport(byte[] fileData, Consumer<AssetTreeNode[]> assetConsumer) { return executorService.submit(() -> { Document xmlDoc; try { String xmlStr = new String(fileData, StandardCharsets.UTF_8); LOG.info("Parsing VELBUS project file"); xmlDoc = DocumentBuilderFactory .newInstance() .newDocumentBuilder() .parse(new InputSource(new StringReader(xmlStr))); ``` Expanded `Caption` content is propagated into created asset names: ```193:198:agent/src/main/java/org/openremote/agent/protocol/velbus/AbstractVelbusProtocol.java String name = module.getElementsByTagName("Caption").item(0).getTextContent(); name = isNullOrEmpty(name) ? deviceType.toString() : name; // TODO: Use device specific asset types Asset<?> device = new ThingAsset(name); ``` ### PoC 1. Log in to a realm with a user that can call Velbus asset import. 2. Create/select a Velbus TCP Agent in that same realm. 3. Send `POST /api/{realm}/agent/assetImport/{agentId}` with a Velbus project XML payload and compare behavior against a baseline import file. 3. Save the below code as a `xxe.xml` and upload to `Setup` under `https://localhost/manager/?realm=<YOUR_REALM>#/assets/false/<ASSET_ID>`. Chnage the `file:///etc/passwd` to another file if your `passwd` is longer than 1023 characters. ```xml <?xml version="1.0" encoding="UTF-8"?> <!DOCTYPE velbus [ <!ENTITY xxe SYSTEM "file:///etc/passwd"> ]> <Project> <Module type="VMB1RY" address="01" build="00" serial="LAB"> <Caption>&xxe;</Caption> </Module> </Project> ``` As long as the file content is under 1023 characters, the exploit will succeed. <img width="1200" height="662" alt="image" src="https://github.com/user-attachments/assets/213f063d-98b6-4717-b98c-f4255952026b" /> If the file content reaches the limit, an error is thrown. <img width="1200" height="630" alt="image" src="https://github.com/user-attachments/assets/ee177a6b-2cb2-48ae-94df-c994ecb41429" /> ### Impact - **Type:** XML External Entity (XXE) - **Affected:** Deployments exposing Velbus import to authenticated users with import access - **Risk:** limited local file disclosure (as long as the file is under 1023 characters) from the Manager runtime, and SSRF.

XXE SSRF Java
NVD GitHub
EPSS 0% CVSS 4.1
MEDIUM PATCH This Month

Weblate is a web based localization tool. In versions prior to 5.17, the webhook add-on did not utilize existing SSRF protections. This issue has been fixed in version 5.17. If developers are unable to update immediately, they can disable the webhook add-on as a workaround.

SSRF Weblate
NVD GitHub
EPSS 0% CVSS 5.0
MEDIUM PATCH This Month

Weblate is a web based localization tool. In versions prior to 5.17, a user with the project.edit permission (granted by the per-project "Administration" role) can configure machine translation service URLs pointing to arbitrary internal network addresses. During configuration validation, Weblate makes an HTTP request to the attacker-controlled URL and reflects up to 200 characters of the response body back to the user in an error message. This constitutes a Server-Side Request Forgery (SSRF) with partial response read. This issue has been fixed in version 5.17. If developers are unable to immediately upgrade, they can limit available machinery services via WEBLATE_MACHINERY setting.

Information Disclosure SSRF Weblate
NVD GitHub
EPSS 0% CVSS 5.0
MEDIUM PATCH This Month

Weblate is a web based localization tool. In versions prior to 5.17, the ALLOWED_ASSET_DOMAINS setting applied only to the first issued requests and didn't restrict possible redirects. This issue has been fixed in version 5.17.

SSRF Weblate
NVD GitHub
EPSS 0% CVSS 8.6
HIGH PATCH This Week

Jellyfin media server versions before 10.11.7 allow authenticated users to escalate privileges to administrator through a chained exploit involving M3U tuner SSRF, local file read, and database exfiltration. Any authenticated user can exploit this because the EnableLiveTvManagement permission defaults to enabled. The attack chain enables reading the Jellyfin database to extract admin session tokens, achieving full administrative control. CVSS 8.6 (High) reflects network-accessible attack requiring only low-privilege authentication. No active exploitation (CISA KEV) confirmed, but public disclosure via GitHub Security Advisory indicates exploit details are known.

SSRF Jellyfin
NVD GitHub
EPSS 0% CVSS 8.6
HIGH PATCH This Week

Unauthenticated Server-Side Request Forgery (SSRF) in Chamilo LMS versions prior to 2.0.0-RC.3 allows remote attackers to access internal network services and cloud metadata endpoints via unfiltered package-url parameter in the PENS plugin. Attackers can steal AWS IAM credentials from 169.254.169.254, probe internal infrastructure, and trigger state-changing operations on internal services without requiring authentication. CVSS 8.6 (High) with Changed Scope reflects the ability to pivot from the LMS to other internal systems. No public exploit identified at time of analysis, though the attack vector is straightforward requiring only HTTP requests to the exposed endpoint.

Authentication Bypass PHP SSRF +1
NVD GitHub
EPSS 0% CVSS 7.2
HIGH PATCH This Week

Server-Side Request Forgery (SSRF) in Chamilo LMS 2.0-RC.2 allows unauthenticated remote attackers to weaponize the learning management system as an open email relay and probe internal networks. The vulnerability stems from an authentication bypass in install.ajax.php, which accepts arbitrary SMTP server connections via Symfony Mailer DSN strings. No public exploit identified at time of analysis, though exploitation complexity is low (CVSS AC:L). EPSS data not provided. Vendor-released patch: version 2.0.0-RC.3.

Authentication Bypass PHP SSRF
NVD GitHub
EPSS 0% CVSS 4.3
MEDIUM This Month

Server-side request forgery in Fortinet FortiSOAR (both PaaS and on-premise versions 7.3 through 7.6.4) allows authenticated attackers to discover services running on local ports by crafting malicious requests. The vulnerability requires valid user credentials and carries a CVSS score of 4.3 with low confidentiality impact; no public exploit code or active exploitation has been confirmed at this time.

Fortinet SSRF
NVD
EPSS 0% CVSS 4.3
MEDIUM POC This Month

Blind Server-Side Request Forgery in Open WebUI 0.7.2 and below allows authenticated remote attackers to scan the local network and infer open ports via the image editing prompt functionality, which performs unrestricted GET requests to user-supplied URLs. The vulnerability enables port enumeration of internal network services without exposing response content, potentially leading to reconnaissance of locally accessible services. No public exploit code or active exploitation has been confirmed; patch status remains unresolved at time of publication.

SSRF Open Webui
NVD GitHub
EPSS 0% CVSS 5.0
MEDIUM PATCH This Month

MaxKB versions 2.7.1 and below allow authenticated users with tool-editing permissions to bypass sandbox network protection via socket.sendto() with the MSG_FASTOPEN flag, enabling connections to internal services explicitly blocked by the sandbox's banned hosts configuration. The vulnerability exploits a gap in LD_PRELOAD hooking-sendto() with MSG_FASTOPEN establishes TCP connections directly through the kernel without invoking the hooked connect() function, completely circumventing IP validation. This is a server-side request forgery (SSRF) vector that requires prior authentication and tool-editing privileges. Vendor-released patch: version 2.8.0.

Linux SSRF
NVD GitHub
EPSS 0% CVSS 8.5
HIGH This Week

Server-Side Request Forgery in Webkul Krayin CRM 2.2.x enables authenticated users to scan internal network resources and access sensitive information through the webhook creation endpoint. Attackers with low-privilege accounts can send crafted POST requests to /settings/webhooks/create, forcing the server to make requests to arbitrary internal URLs. With CVSS 8.5 (High) and scope change to other components, this allows reconnaissance of internal infrastructure, access to cloud metadata endpoints, and potential lateral movement. EPSS data not available; no public exploit identified at time of analysis, though technical details are published in security advisory.

SSRF
NVD GitHub
EPSS 0% CVSS 2.0
LOW POC Monitor

A vulnerability was identified in HummerRisk up to 1.5.0. This vulnerability affects the function ServerService.addServer of the file ServerService.java of the component Video File Download URL Handler. Such manipulation of the argument streamIp leads to server-side request forgery. It is possible to launch the attack remotely. The exploit is publicly available and might be used. The vendor was contacted early about this disclosure but did not respond in any way.

Java SSRF
NVD VulDB GitHub
EPSS 0% CVSS 3.5
LOW POC PATCH Monitor

EspoCRM is an open source customer relationship management application. In versions 9.3.3 and below, the POST /api/v1/Attachment/fromImageUrl endpoint is vulnerable to Server-Side Request Forgery (SSRF) via a DNS rebinding (TOCTOU) condition. Host validation uses dns_get_record() but the actual HTTP request resolves hostnames through curl's internal resolver (gethostbyname()), allowing the two lookups to return different IP addresses for the same hostname. A secondary issue exists where an empty DNS result (due to DNS failure, IPv6-only domains, or non-existent hostnames) causes the validation to implicitly allow the host without further checks. An authenticated attacker with default attachment creation access can exploit this gap to bypass internal IP restrictions and scan internal network ports, confirm the existence of internal hosts, and interact with internal HTTP-based services, though data extraction from binary protocol services and remote code execution are not possible through this endpoint. This issue has been fixed in version 9.3.4.

RCE SSRF Espocrm
NVD GitHub
EPSS 0% CVSS 2.1
LOW Monitor

A weakness has been identified in DbGate up to 7.1.4. The impacted element is the function apiServerUrl1 of the file packages/rest/src/openApiDriver.ts of the component REST/GraphQL. This manipulation causes server-side request forgery. The attack may be initiated remotely. The exploit has been made available to the public and could be used for attacks. The vendor was contacted early about this disclosure but did not respond in any way.

SSRF Dbgate
NVD VulDB
EPSS 0% CVSS 4.3
MEDIUM POC PATCH This Month

EspoCRM is an open source customer relationship management application. Versions 9.3.3 and below have an authenticated Server-Side Request Forgery (SSRF) vulnerability that allows bypassing the internal-host validation logic by using alternative IPv4 representations such as octal notation (e.g., 0177.0.0.1 instead of 127.0.0.1). This is caused by HostCheck::isNotInternalHost() function relying on PHP's filter_var(..., FILTER_VALIDATE_IP), which does not recognize alternative IP formats, causing the validation to fall through to a DNS lookup that returns no records and incorrectly treats the host as safe, however the cURL subsequently normalizes the address and connects to the loopback destination. Through the confirmed /api/v1/Attachment/fromImageUrl endpoint, an authenticated user can force the server to make requests to loopback-only services and store the fetched response as an attachment. This vulnerability is distinct from CVE-2023-46736 (which involved redirect-based SSRF) and may allow access to internal resources reachable from the application runtime. This issue has been fixed in version 9.3.4.

SSRF Espocrm
NVD GitHub Exploit-DB VulDB
EPSS 0% CVSS 7.1
HIGH PATCH This Week

Server-Side Request Forgery in Apache SkyWalking MCP 0.1.0 allows authenticated remote attackers to access internal network resources and exfiltrate sensitive data via a malicious SW-URL header. CVSS 7.1 (High severity) with network attack vector and low complexity. No public exploit identified at time of analysis, SSVC framework indicates no active exploitation and non-automatable attack requiring manual interaction with internal architecture knowledge.

Apache SSRF
NVD VulDB
EPSS 0% CVSS 9.8
CRITICAL Act Now

Server-side request forgery in the Foxit PDF Services API (cloud offering) lets a remote attacker supply a crafted URL that the backend fetches, coercing the server into making requests to attacker-chosen internal or external destinations. Because the service processes documents and URLs on behalf of clients, this can be abused to reach cloud metadata endpoints, internal-only services, and network zones normally shielded from the public internet, potentially disclosing credentials or sensitive data. No public exploit identified at time of analysis, and EPSS is very low (0.03%, 8th percentile), consistent with CISA SSVC scoring exploitation as 'none'.

SSRF Information Disclosure Foxit Pdf Services Api
NVD VulDB
Prev Page 7 of 32 Next

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy