Server-Side Request Forgery
Server-Side Request Forgery exploits applications that fetch remote resources based on user-supplied URLs.
How It Works
Server-Side Request Forgery exploits applications that fetch remote resources based on user-supplied URLs. When a web server accepts a URL parameter to retrieve external content—for example, to proxy images, validate webhooks, or import data—an attacker can manipulate that parameter to make the server send requests to unintended destinations. The critical issue is that these requests originate from the server itself, bypassing firewalls and network controls that would block direct external access.
Attacks come in several forms. Direct SSRF gives the attacker full control over the destination URL, allowing them to target internal services like http://localhost:8080/admin or cloud metadata endpoints at http://169.254.169.254/latest/meta-data/. Blind SSRF occurs when the application makes the request but doesn't return the response to the attacker—they must rely on timing differences or out-of-band techniques to confirm success. Partial SSRF restricts the attacker to modifying only part of the URL, such as the hostname or path, requiring more creative exploitation.
The typical attack flow starts with identifying URL parameters that trigger server-side requests. The attacker then probes for internal services by injecting internal IP addresses or localhost references. Common targets include administrative interfaces, internal REST APIs, Redis or Memcached instances, and especially cloud metadata services that expose IAM credentials. Attackers often employ bypass techniques like encoding IPs in decimal format (2130706433 for 127.0.0.1), exploiting URL parser discrepancies between validation and execution layers, or chaining with open redirects to evade basic filters.
Impact
- Access to internal services that should be network-isolated—admin panels, monitoring dashboards, configuration endpoints
- Cloud credential theft via metadata APIs, particularly AWS IAM role credentials exposed at 169.254.169.254
- Reading local files through
file://protocol support, exposing configuration files and source code - Network reconnaissance to map internal infrastructure and identify additional attack targets
- Remote code execution on back-end systems like Redis or Elasticsearch that accept commands over HTTP
- Pivoting deeper into internal networks by using the compromised server as a proxy for further attacks
Real-World Examples
Capital One suffered a massive breach in 2019 when an attacker exploited SSRF in a web application firewall to query AWS metadata services, stealing credentials that granted access to over 100 million customer records. The vulnerability allowed requests to the internal metadata endpoint that should have been unreachable.
Shopify's infrastructure exposed internal Google Cloud metadata in 2020 through an image proxy feature. Security researchers demonstrated they could retrieve service account credentials by tricking the proxy into fetching from the metadata API, potentially compromising the entire GCP environment.
Numerous CVEs in enterprise products highlight SSRF in common features: webhook validators in GitLab, PDF generators that fetch remote images, and document conversion services. These typically manifest when URL validation assumes all requests will target external internet resources, failing to anticipate internal network abuse.
Mitigation
- Allowlist approved destination domains rather than trying to blocklist dangerous ones—only permit necessary external services
- Disable unnecessary URL schemes entirely (file://, gopher://, dict://)—restrict to https:// only where possible
- Network segmentation to prevent application servers from reaching internal infrastructure—use separate VLANs or VPCs
- Deploy cloud metadata protections like AWS IMDSv2 requiring session tokens, making metadata unavailable to simple HTTP requests
- Validate and parse URLs consistently using a single library, then verify resolved IP addresses aren't private ranges
- Remove response bodies from errors to prevent information disclosure in blind SSRF scenarios
Recent CVEs (2848)
Server-Side Request Forgery in ToolHive's host-side authentication discovery flow allows a malicious or compromised remote MCP server to force the ToolHive host process to issue arbitrary internal HTTP GET requests with redirect following and no address filtering, bypassing the container isolation that ToolHive is architecturally designed to enforce. Affected versions include all releases through v0.29.3 (commit b672d82f confirmed 2026-06-14); the fix is available in v0.31.0. A publicly reproducible proof-of-concept with recording exists demonstrating retrieval of cloud instance metadata via AWS IMDSv1 redirect; no CISA KEV listing is present, but the exploit is fully operationalized without special infrastructure on any deployment with IMDSv1 enabled.
SSRF protection bypass in the Doyensec safeurl Go library (versions prior to 0.2.4) allows network requests to four newly standardized IPv6 CIDR ranges that were absent from the library's internal blocklist. Applications that explicitly enable IPv6 via EnableIPv6(true) and rely on safeurl to enforce SSRF controls are exposed; attackers who can supply attacker-controlled URLs to such applications may reach internal resources hosted on NAT64 local-use (64:ff9b:1::/48), SRv6 SID (5f00::/16), documentation (3fff::/20), or Dummy IPv6 (100:0:0:1::/64) address space. No public exploit code or CISA KEV listing has been identified at time of analysis.
ToolHive's hand-maintained SSRF guard (`networking.IsPrivateIP`) omits IPv6 NAT64 prefixes `64:ff9b::/96` (RFC 6052) and `64:ff9b:1::/48` (RFC 8215), allowing addresses like `64:ff9b:1::a9fe:a9fe` - the NAT64 encoding of the cloud metadata endpoint `169.254.169.254` - to be misclassified as globally routable and pass unchecked. On ToolHive deployments behind a NAT64/DNS64 gateway (the default in IPv6-only Kubernetes clusters and several IPv6-only cloud environments), an unauthenticated attacker can submit a crafted OAuth `client_id` URL that causes ToolHive's CIMD fetcher to dial internal or link-local addresses the guard is intended to block, achieving a blind internal-reachability oracle. Practical impact is limited to TCP/TLS connection probing rather than credential exfiltration due to HTTPS-only enforcement and TLS verification on the attacker-controlled path; a complete proof-of-concept is publicly available in the vendor advisory, and no public exploit identified at time of analysis as a KEV-listed active campaign.
Server-side request forgery in Wekan's webhook integration feature allows board administrators to register malicious webhook URLs that the Wekan server later fetches without private-network validation, enabling unauthorized access to internal services and cloud metadata endpoints. All Wekan deployments prior to version 9.32 are affected; the root cause is that the existing validateAttachmentUrl() guard present in models/lib/attachmentUrlValidation.js was never wired into the webhook creation and update API paths. No public exploit has been identified and this is not listed in CISA KEV, but cloud-hosted Wekan instances face meaningful credential theft risk via cloud metadata service access.
Server-side request forgery in the strands-agents-tools elasticsearch_memory tool enables prompt-injection attacks that exfiltrate the operator's Elasticsearch API key to attacker-controlled infrastructure. Applications using strands-agents-tools prior to 0.7.0 that rely on the ELASTICSEARCH_API_KEY environment-variable fallback - rather than explicitly passing api_key - are exposed to credential theft when an attacker can influence LLM input. No public exploit code or CISA KEV listing has been identified at time of analysis, but the prompt-injection-to-SSRF primitive is well understood in the AI agent security community and the credential-theft impact warrants prompt remediation.
Full-read SSRF in Koel's podcast subscription feature allows any authenticated user to coerce the server into fetching internal HTTP endpoints - including cloud instance metadata services - and receive the full response. The vulnerability exists because PHP's `filter_var` with `FILTER_FLAG_NO_PRIV_RANGE | FILTER_FLAG_NO_RES_RANGE` does not unwrap NAT64 (`64:ff9b::/96`) or 6to4 (`2002::/16`) IPv6 transition addresses, both of which deterministically embed a private IPv4 that the OS kernel routes internally. This affects all Koel deployments through v9.7.0 on NAT64 or dual-stack networks (the default for IPv6-only AWS and GCP subnets); a detailed proof-of-concept with verbatim server output is published in the advisory. No public exploit code is in KEV at time of analysis, but the PoC substantially lowers the exploitation barrier.
Server-side request forgery in Koel (self-hosted PHP music-streaming server, all releases up to and including 9.7.0) lets any authenticated low-privilege user coerce the server into requesting arbitrary internal or cloud-metadata endpoints. The flaw is an incomplete fix for CVE-2026-47260: the initial isSafeUrl() check was added to several podcast/radio fetchers, but per-redirect-hop re-validation was wired into only one path (EpisodePlayable), leaving every sibling fetcher bypassable via an attacker-controlled host that returns an HTTP 302 to an internal address, and all paths bypassable via DNS rebinding. A researcher mechanism PoC confirms exploitation; not listed in CISA KEV and no evidence of active exploitation.
{id}. Publicly available exploit code exists (a working PoC is published in the GHSA advisory), but it is not in CISA KEV and no active exploitation is identified.
Authenticated blind SSRF in Koel v9.6.0 allows any logged-in user to trigger server-side HTTP requests to private, loopback, and RFC1918 destinations by exploiting a missing SafeUrl validation guard on the Subsonic-compatible createPodcastChannel.view route. The main podcast API correctly rejects private URLs with a 422 error, but the Subsonic compatibility layer omits the same SafeUrl rule, and the attacker-supplied URL is fetched synchronously during channel creation via Poddle::fromUrl() - no separate step required. No public exploit identified at time of analysis per KEV status, but a fully documented public PoC with step-by-step curl commands is available in GHSA-w79m-f3jx-779v, validated against the official phanan/koel:9.6.0 Docker image.
Server-side request forgery in Penpot before 2.15.0 lets an authenticated file editor coerce the backend into fetching attacker-chosen URLs via the remote image import feature, reaching internal-only endpoints that are normally unreachable from the outside. The :create-file-media-object-from-url RPC method passes a user-controlled URL to the shared HTTP client with no destination filtering (CVSS 7.7, scope-changed). No public exploit has been identified at time of analysis, but the fix in 2.15.0 is confirmed by the vendor advisory GHSA-35g2-w7f6-8v9h.
{domain}/icon.png endpoint, bypassing the server's address blocklist. The icon-fetching HTTP client in src/http_client.rs applied should_block_address() and post_resolve() checks only against standard dotted-decimal notation, leaving alternative encodings - such as 0x7f000001 or 2130706433 for 127.0.0.1 - fully unblocked. No public exploit has been identified at time of analysis, and the issue is fixed in version 1.36.0.
Server-Side Request Forgery in Cloudreve's remote download workflow (versions prior to 4.16.1) enables authenticated users holding the remote download permission to direct the application server to fetch arbitrary internal URLs via POST /api/v4/workflow/download. Because the downloader accepted user-supplied URLs without validating loopback, localhost, IPv6 localhost, or redirect-to-loopback targets, a low-privileged user could exfiltrate responses from internal services - including cloud instance metadata endpoints, internal APIs, or services bound to 127.0.0.1 - by reading the downloaded content from their own Cloudreve file storage. No public exploit has been identified at time of analysis; vendor-released patch 4.16.1 is available.
SSRF guard bypass in FastGPT prior to 4.15.0-beta5 enables authenticated workflow users to reach cloud metadata endpoints, loopback interfaces, and internal network services that the guard would otherwise block on direct request. The HTTP request workflow node submits the initial URL to the SSRF guard for validation, but then hands the request to axios, which follows HTTP redirects by default without re-triggering the guard - allowing an attacker-controlled redirect server to pivot the request to any internal target. No public exploit code has been identified at time of analysis, but the technique is well-understood, low-complexity once authenticated, and particularly severe in cloud-hosted deployments where IMDSv1 metadata endpoints expose IAM credentials.
Server-side request forgery in Directus before 12.0.0 lets an authenticated user with file-upload rights abuse the /files/import endpoint to make the server fetch internal-only services and return their responses as downloadable files. The flaw stems from an incomplete SSRF denylist in api/src/request/is-denied-ip.ts, which treated 0.0.0.0 as a keyword but never blocked the literal address, so on Linux and macOS a request to 0.0.0.0 resolves to localhost and bypasses the protection. No public exploit identified at time of analysis and it is not in CISA KEV; EPSS was not provided.
Server-side request forgery in PraisonAI's web_crawl tool (versions before 1.6.78) allows an authenticated attacker to reach internal HTTP services and exfiltrate their response bodies. The flaw stems from a time-of-check/time-of-use gap: hostnames are validated once but re-resolved at connection time without IP pinning, so DNS rebinding defeats the SSRF allowlist. There is no public exploit identified at time of analysis and it is not listed in CISA KEV, but the technique is well-documented and the vendor has released a fix in 1.6.78.
Server-side request forgery and credential theft in Grafana MCP Server lets an unauthenticated remote attacker steal the server's environment-configured Grafana service-account token by sending a crafted X-Grafana-URL request header, and pivot to reach arbitrary internal services including cloud metadata endpoints. The token grants the attacker the MCP server's full Grafana privileges, and the SSRF primitive exposes internal infrastructure behind the network perimeter. No public exploit identified at time of analysis, but the CVSS 8.6 (scope-changed) rating and unauthenticated network vector make this a high-priority fix.
CAI Content Credentials is affected by a Server-Side Request Forgery (SSRF) vulnerability that could result in arbitrary code execution in the context of the current user. An attacker could exploit this vulnerability to inject malicious scripts into a web page, potentially gaining elevated access or control over the victim's account or session. Exploitation of this issue requires user interaction in that a victim must visit a maliciously crafted URL or interact with a compromised web page. Scope is changed.
A weakness has been identified in mastergo-design mastergo-magic-mcp up to 0.2.0. Impacted is the function z.string of the file src/tools/get-component-link.ts of the component mcp__getComponentLink. Executing a manipulation of the argument url can lead to server-side request forgery. The attack may be performed from remote. The exploit has been made available to the public and could be used for attacks. The project was informed of the problem early through an issue report but has not responded yet.
Server-side request forgery in Adobe ColdFusion lets a low-privileged, authenticated attacker coerce the server into issuing crafted outbound requests, bypassing a security control and gaining unauthorized read access to resources the attacker should not reach. The CVSS 3.1 scope-changed vector (S:C, C:H) indicates the impact extends beyond ColdFusion itself to backend or internal systems it can reach. No public exploit identified at time of analysis, and the flaw is not listed in CISA KEV; remediation is available via Adobe security bulletin APSB26-82.
Simple Machines Forum 2.1 prior to commit 4bf35cf and 3.0 prior to commit b4d23df contains a server-side request forgery vulnerability in the image proxy that allows authenticated attackers to trigger internal HTTP requests by embedding attacker-controlled URLs in BBCode image tags, which the proxy fetches without validating resolved destination IPs against private address ranges, loopback, or link-local addresses. Attackers can leverage SMF's automatic HMAC signature generation for any embedded image URL to obtain valid signed proxy requests targeting internal services such as cloud instance metadata endpoints, internal web applications, and container network services.
NVIDIA TensorRT-LLM for Linux contains a vulnerability in the multimodal media fetching functions, where a network-accessible attacker could cause server-side request forgery. A successful exploit of this vulnerability might lead to denial of service and information disclosure.
Server-side request forgery in AWS awslabs.healthlake-mcp-server before 0.0.14 lets a remote authenticated user exfiltrate AWS temporary security credentials to an attacker-controlled endpoint by supplying a crafted next_token pagination parameter. Because the server never validates that paginated request URLs still point at the legitimate HealthLake FHIR datastore, subsequent authenticated calls (carrying SigV4/temporary credentials) can be redirected off-host. Rated CVSS 4.0 9.2 (critical); no public exploit identified at time of analysis and not listed in CISA KEV.
Server-Side Request Forgery in Anyquery's server mode (versions < 0.4.5) lets remote attackers who reach the MySQL-compatible listener force the server to fetch arbitrary URLs through its built-in SQLite virtual table modules (json_reader, log_reader), which internally use go-getter. Because the server accepts MySQL connections without authentication and applies no allow/deny list on fetch targets, an attacker can CREATE VIRTUAL TABLE against internal endpoints or the cloud metadata IP (169.254.169.254) and read the response as a table, bypassing external firewalls to scan internal services and exfiltrate cloud IAM credentials. Publicly available exploit code exists (a working PoC is embedded in the vendor advisory); there is no CISA KEV listing or EPSS score in the provided data.
A Server-side request forgery (SSRF) vulnerability has been identified in the SMA1000 Appliance Work Place interface. A remote unauthenticated attacker could potentially cause the appliance to make requests to unintended location.
Server-Side Request Forgery in Adobe Experience Manager (AEM as a Cloud Service, 6.5 LTS, and 6.5) lets a low-privileged, authenticated attacker coerce the server into issuing crafted requests that can escalate to arbitrary code execution in the current user's context and hijack the victim's account or session. The scope-changed CVSS 9.6 rating reflects that the SSRF pivots beyond the vulnerable component itself. No public exploit identified at time of analysis, and no CISA KEV listing; risk is driven by CVSS severity and Adobe's confirmation via advisory APSB26-74 rather than observed exploitation.
Server-side request forgery (ssrf) in Microsoft Office SharePoint allows an authorized attacker to disclose information over a network.
SSRF protections in Sonatype Nexus Repository 3 are bypassed when proxy repository upstream servers return HTTP redirects, allowing those redirects to target internal network addresses or cloud metadata endpoints such as AWS IMDSv1. Any user with read access to an affected proxy repository - including anonymous users if anonymous access is enabled - can receive responses from internal infrastructure, potentially leaking cloud IAM credentials or other sensitive internal data. No public exploit or CISA KEV listing has been identified at time of analysis, but the condition relies on attacker-controlled or compromised upstream servers, making this a credible supply-chain-adjacent threat in enterprises relying on external upstream repositories.
Server-Side Request Forgery in Sonatype Nexus Repository 3 allows any holder of the Capability Administration permission to redirect the server's outbound HTTP requests to arbitrary internal network addresses by supplying a crafted URL in the Webhook Global capability configuration, enabling probing of internal infrastructure. The vulnerability is patched in version 3.94.0 per Sonatype's release notes. No public exploit code exists and the vulnerability is not in CISA KEV, but risk escalates materially on instances where the anonymous role has been granted the Capability Administration permission, as this exposes the SSRF to unauthenticated actors without any configuration changes beyond that role assignment.
Server-Side Request Forgery and information disclosure in Roundcube Webmail before 1.6.17 and 1.7.x before 1.7.2 arises from insufficient CSS sanitization in HTML e-mail bodies, letting a crafted message with stylesheet links pointing to internal hosts coerce the server into issuing requests to local-network resources. This is a re-opened flaw stemming from incomplete fixes for CVE-2026-35540 and CVE-2026-48843, indicating the sanitizer still failed to block specific local-address URL patterns. There is no public exploit identified at time of analysis and it is not listed in CISA KEV, but the vendor rates it as a stable security update recommended for all installations.
Server-Side Request Forgery in Sonatype Nexus Repository 3 exposes internal network infrastructure to authenticated users holding the nexus:ssl-truststore:read permission, who can weaponize the SSL Certificate Retrieval endpoint to force the server to initiate outbound TCP connections to arbitrary hosts - including cloud metadata services, internal APIs, and otherwise firewalled systems. All versions from 3.0.0 up to (but not including) 3.94.0 are affected, and a vendor-released patch is available. No public exploit code has been identified at time of analysis, and this vulnerability is not listed in the CISA KEV catalog.
Server-side request forgery in Easy!Appointments prior to 1.6.0 allows authenticated backend users - admins, providers, or secretaries - to probe internal network hosts by supplying arbitrary URLs to the CalDAV synchronization endpoint. The Guzzle HTTP client in `Caldav.php:60` forwards a REPORT request to the caller-supplied `caldav_url` without validating the scheme or destination host, enabling access to loopback, RFC1918, and link-local addresses on the deployment network. The SSRF is semi-blind, returning up to approximately 120 bytes of upstream response body through the exception path; no public exploit has been identified, exploitation requires an active backend account, and version 1.6.0 resolves the issue.
Server-side request forgery in Sustainable Irrigation Platform (SIP) through version 5.2.16 allows unauthenticated network attackers to weaponize the device as an HTTP proxy against internal or external hosts. Exploitation requires the optional Node-RED plugin to be installed and leverages the known default passphrase 'opendoor' to bypass authentication to the plugin interface - dramatically lowering the practical barrier for blind SSRF. A publicly available proof-of-concept exploit exists per ZeroScience advisory ZSL-2026-5998; no CISA KEV listing at time of analysis.
Memory exhaustion in elixir-mint's HTTP/2 client library (mint) allows a malicious or attacker-controlled HTTP/2 server to crash any BEAM application using the library by streaming unbounded zero-length CONTINUATION frames that bypass the existing byte-size guard. Affected versions span mint 0.1.0 through 1.9.1; a vendor-released patch is confirmed in 1.9.2. No public exploit or CISA KEV listing exists at time of analysis, but the explicit SSRF and redirect attack vectors meaningfully increase realistic exposure for server-side Elixir applications that proxy user-supplied URLs.
Unbounded memory consumption in the Elixir Mint HTTP client (versions 0.1.0 through 1.9.1) lets a malicious or attacker-influenced HTTP server crash the entire BEAM application acting as the client. The HTTP/1 header and chunked-trailer parsers accumulate every incoming header line into a per-request buffer with no size or count cap, so a server that streams headers forever without sending the terminating blank line drives the client host to out-of-memory death. No public exploit or CISA KEV listing has been identified at time of analysis; a vendor patch (1.9.2) and fix commit are available, and the EPSS/POC signals are unremarked in the source data.
Server-side request forgery in louisho5 picobot up to version 0.2.0 allows authenticated remote attackers to manipulate the url argument of the WebTool.Execute function in internal/agent/tools/web.go, causing the server to issue arbitrary HTTP requests to internal or external targets. The vulnerability carries a CVSS 4.0 score of 5.3 with low-privilege authentication required and has publicly available exploit code disclosed via a GitHub issue report. The upstream project has not responded to the responsible disclosure, meaning no patch is available at time of analysis.
Server-side request forgery in zhayujie CowAgent's Vision Tool allows authenticated remote attackers to make the server issue arbitrary HTTP requests to internal network resources. The vulnerability exists in the Vision._download_to_data_url / _build_image_content function in agent/tools/vision/vision.py, where the image argument is passed to an HTTP fetch without URL validation, enabling access to private RFC1918 addresses, loopback interfaces, and other non-public infrastructure. A publicly available proof-of-concept exploit exists (GitHub issue #2878), and a vendor-released patch (version 2.1.2) is available.
Server-side request forgery in GoClaw 3.13.3-beta.3 enables authenticated remote attackers to manipulate the `output.video_url` parameter within the `bytePlusDownloadVideo` function, coercing the server into issuing HTTP requests to attacker-controlled destinations including internal network resources. The flaw resides in `internal/tools/create_video_byteplus.go` at the invoke endpoint. A proof-of-concept exploit has been publicly disclosed via GitHub issue #1199; however, no CISA KEV listing confirms mass active exploitation, and the CVSS 4.0 score of 2.1 reflects the low-privilege authentication barrier and limited per-request impact scope.
Server-side request forgery in mosaxiv clawlet up to version 0.2.10 allows remote attackers to manipulate the server into issuing arbitrary HTTP requests by supplying a crafted URL to the web_fetch function in tools/tool_web_fetch.go via the IPv4 Handler. The CVSS 4.0 score of 2.1 reflects limited practical impact, constrained further by a user-interaction requirement (UI:P) and low CIA impact metrics. Publicly available exploit code exists (E:P per CVSS 4.0 supplemental vector), and the upstream maintainer has closed the tracking issue as 'not planned', meaning no official fix will be released.
Server-side request forgery in mosaxiv clawlet up to version 0.2.10 enables authenticated remote attackers to manipulate the webFetch tool function to issue arbitrary HTTP requests from the server, potentially reaching internal services, cloud metadata endpoints, or other network resources not directly accessible to the attacker. A publicly available proof-of-concept exploit was disclosed via GitHub issue #14, making real-world exploitation more accessible. Critically, the upstream maintainer closed the issue as 'not planned,' meaning no vendor-released patch is forthcoming and the vulnerability will remain permanently unaddressed in the existing codebase.
OpenClaw's browser CDP (Chrome DevTools Protocol) discovery component fails to enforce its own URL blocklist, allowing lower-trust authenticated users to reach network destinations that OpenClaw policy should have denied access to. The root cause is a Server-Side Request Forgery variant (CWE-918) where blocked WebSocket URLs submitted through CDP discovery are accepted and proxied without policy enforcement. The CVSS 4.0 vector (SC:H/SI:L) confirms the primary impact lands on downstream or segmented network resources - not OpenClaw itself - making this a network segmentation bypass rather than a direct system compromise. No public exploit code or CISA KEV listing has been identified at time of analysis.
Server-side request forgery in codecentric Spring Boot Admin Server before 4.1.2 lets unauthenticated remote attackers register a monitored instance with attacker-controlled healthUrl and managementUrl values that are never validated against private IP ranges or cloud metadata endpoints. Because the server then fetches those URLs and exposes the response bodies through its actuator proxy, an attacker can pivot into internal networks and read back sensitive data such as cloud instance-metadata credentials. Publicly available exploit code exists and the flaw was reported by VulnCheck, though there is no public exploit identified as actively exploited (not in CISA KEV).
Server-side request forgery in CrewAI's scraping tools before version 1.15.1 lets remote attackers reach internal services and cloud metadata endpoints by abusing a flawed validate_url function. The filter performs a single DNS resolution and blocklist check, then returns the original URL unchanged, so attacker-supplied URLs that HTTP-redirect to internal addresses or exploit DNS rebinding slip past the guard. Publicly available exploit code exists (VulnCheck advisory and issue #6520), but there is no public exploit identified as being used in active attacks.
Server-side request forgery in Laravel-Mediable before 7.0.0 enables network-accessible, low-privilege attackers to issue arbitrary HTTP requests originating from the server by supplying unvalidated URLs to any application endpoint backed by MediaUploader::fromSource(). The RemoteUrlAdapter class accepts caller-controlled URLs without restricting schemes, IP ranges, or hostnames, allowing requests to RFC-1918 addresses, loopback interfaces, file:// URIs, and cloud instance metadata endpoints such as AWS IMDSv1 at 169.254.169.254. In cloud deployments, successful exploitation can yield IAM temporary credentials, enabling privilege escalation far beyond the base CVSS score of 5.3 would suggest. No public exploit or CISA KEV listing exists at time of analysis.
Server-side request forgery in NukeViet CMS before 4.6.00 lets a remote unauthenticated attacker coerce the server into issuing outbound HTTP requests to an arbitrary host by spoofing the X-Forwarded-Host and X-Forwarded-Proto headers, which flow unvalidated into the cURL URL built by server_info_update(). Because the __serverInfoUpdate=1 POST handler in includes/ini.php runs before authentication, no credentials are needed. The flaw is blind, HEAD-only and uses a fixed request path, so its practical value is internal host/port discovery and poisoning of the cached server_headers rather than data exfiltration; no public exploit beyond the advisory PoC is identified and it is not in CISA KEV.
Stored Server-Side Request Forgery in Decidim's push notification subsystem allows any authenticated user to register an arbitrary HTTPS URL as a push subscription endpoint, causing the application server to issue outbound POST requests to that attacker-controlled destination whenever notifications are dispatched. The vulnerability exists in the decidim-core RubyGem across versions below 0.30.9, 0.31.0.rc1 through 0.31.4, and 0.32.0.rc1, and is only exploitable when VAPID push delivery is configured. No public exploit code has been identified and the vulnerability is not listed in the CISA KEV catalog, but a vendor-confirmed patch and source-code-level proof of the source-to-sink chain are available via the GHSA advisory.
Server-Side Request Forgery in the Themeisle Auto Featured Image (Auto Post Thumbnail) WordPress plugin through version 5.0.4 enables authenticated low-privilege users to coerce the server into issuing arbitrary outbound HTTP requests to attacker-controlled destinations, including internal network resources. The CVSS scope change (S:C) confirms the vulnerability can reach resources outside the WordPress application boundary - such as cloud metadata endpoints, internal APIs, or services on the hosting network. No public exploit identified at time of analysis, and SSVC assessment confirms no observed exploitation with non-automatable attack conditions.
Server-Side Request Forgery in bdthemes Instant Image Generator (WordPress plugin ai-image) through version 2.1.4 allows low-privileged authenticated users to coerce the WordPress server into issuing HTTP requests to arbitrary destinations. The scope-changed CVSS vector (S:C) confirms the server can be directed at internal infrastructure beyond the WordPress installation itself, enabling internal network probing or cloud metadata endpoint access. No public exploit code has been identified at time of analysis, and the vulnerability is not listed in the CISA KEV catalog.
Server-Side Request Forgery in WP Swings' PDF Generator for WordPress plugin (all versions up to and including 1.6.2) lets remote attackers coerce the WordPress server into issuing attacker-controlled outbound requests, with a scope-changed impact reaching adjacent internal systems. Reported by Patchstack and tracked as CWE-918 with a CVSS 3.1 base score of 7.2, it currently has no public exploit identified at time of analysis and is not listed in CISA KEV. Because the scope is changed (S:C), successful abuse can pivot the server against internal metadata endpoints, intranet services, or cloud IMDS resources beyond the WordPress host itself.
Server-Side Request Forgery in the WPJAM Basic WordPress plugin (by denishua) affects all versions up to and including 7.0, letting remote attackers coerce the site's server into issuing crafted outbound requests. Because the CVSS scope is marked Changed with low confidentiality and integrity impact, an attacker can reach internal or otherwise-protected services and read back limited responses. No public exploit identified at time of analysis, and the issue is not listed in CISA KEV; it was disclosed through the Patchstack vulnerability database.
Server-Side Request Forgery bypass in the html_to_markdown expansion module of misp-modules lets an authenticated attacker reach internal, loopback, and link-local services that the module's IP range filtering was meant to block. By supplying an IPv4-mapped IPv6 address such as http://[::ffff:169.254.169.254]/ (or a hostname resolving to one), the attacker defeats the blocked-range checks and can pull back internal content — including cloud instance metadata — rendered back to them as Markdown. No public exploit identified at time of analysis and it is not in CISA KEV, but the underlying IPv4-mapped-IPv6 filter bypass is a well-understood, easily reproduced technique.
Authenticated SSRF in Apache Gravitino's JobManager component (versions 1.0.0 through 1.2.1) enables authenticated users to coerce the server into making arbitrary outbound HTTP requests to internal network hosts and cloud instance metadata services (e.g., AWS IMDS at 169.254.169.254, GCP metadata endpoints) by supplying unvalidated URIs within job templates. In cloud-hosted deployments this is a credential-theft primitive: metadata service access can yield IAM role credentials with blast radius extending well beyond the Gravitino service itself. No public exploit or CISA KEV listing has been identified at time of analysis; vendor labels severity as moderate, though cloud-metadata reachability elevates real-world impact above that rating in typical deployment contexts.
Server-side request forgery in kLOsk adloop through version 0.9.0 allows authenticated remote attackers to manipulate the `final_url` argument passed to the `_validate_urls` function in `src/adloop/ads/write.py`, causing the server to issue arbitrary outbound HTTP requests. Internal network services, cloud metadata endpoints, and other non-public resources reachable from the server may be exposed. A public proof-of-concept exploit exists via GitHub issue #41, and a vendor-released patch is available in version 0.10.0.
Server-Side Request Forgery in LogicalDOC Enterprise versions up to and including 9.1.1 lets a remote, unauthenticated attacker abuse the ShareFileCallback servlet to coerce the server into issuing HTTP requests to an attacker-chosen host. Because no credentials are required and the flaw is network-reachable, it can be used to probe internal networks, reach otherwise-firewalled services, and potentially retrieve cloud metadata. A public technical disclosure exists (netero1010 Vulnerability-Disclosure repository); there is no public exploit identified as being used in active attacks and it is not listed in CISA KEV.
Server-side request forgery in Helicone ai-gateway (up to 0.2.0-beta.30) allows a low-privileged remote attacker to manipulate the `extracted_path_and_query` argument within the `build_target_url` function of the AWS Metadata Service component, causing the gateway to issue unauthorized server-side HTTP requests to internal infrastructure. For deployments on AWS, this most critically targets the EC2 Instance Metadata Service (IMDS) at 169.254.169.254, potentially exposing IAM role credentials that carry blast radius far exceeding the assigned CVSS 5.3 score. A public exploit exists via GitHub, and the vendor was unresponsive to pre-disclosure contact, meaning no vendor-confirmed patch is available at time of analysis.
Server-side request forgery in AstrBot's dashboard MCP Test Endpoint allows low-privileged authenticated users to coerce the server into issuing arbitrary HTTP requests via a manipulated `mcp_server_config.url` parameter. All AstrBot versions through 4.25.2 are affected via the `ToolsRoute.test_mcp_connection` function in `astrbot/dashboard/routes/tools.py`. A publicly available proof-of-concept exploit exists, and the vendor has not responded to disclosure, leaving no vendor-issued patch at time of analysis.
Server-side request forgery in AstrBot up to version 4.25.2 allows authenticated remote attackers to cause the server to issue arbitrary HTTP requests by supplying a malicious value for the `custom_registry` parameter at the `market_list` plugin marketplace endpoint. The affected function is `get_online_plugins` in `astrbot/dashboard/routes/plugin.py`. A public proof-of-concept exploit is available on GitHub, though this vulnerability is not listed in the CISA KEV catalog. The CVSS 4.0 score of 2.1 reflects the authentication barrier and constrained impact, making this a lower-priority but tactically exploitable issue for attackers with dashboard access.
Server-side request forgery in PraisonAI's Crawl4AI/Chromium crawling backend (all versions before 1.6.78) lets low-privileged users bypass URL allowlist/SSRF validation through DNS rebinding and HTTP redirects, causing the headless browser to reach internal-only services and return their responses. Because validation happens before the browser dereferences the URL, an attacker-controlled host can pass the check and then resolve or redirect to internal endpoints, exposing sensitive internal data (demonstrated with canary values). Reported by VulnCheck; no public exploit identified at time of analysis and it is not listed in CISA KEV.
Arbitrary local file disclosure in the Planyo Online Reservation System WordPress plugin (all versions through 3.0) lets unauthenticated remote attackers read any server-side file. The ulap.php AJAX proxy is reachable without WordPress bootstrapping or authentication and validates only the URL host against an allowlist, not the scheme, so a file://localhost/ URL passes the check and is fetched via curl/fopen. Reported by Wordfence with no public exploit identified at time of analysis; sensitive targets include wp-config.php database credentials and /etc/passwd.
Server-Side Request Forgery in Drupal Core allows authenticated low-privilege users to coerce the application server into issuing unauthorized HTTP requests to internal or restricted network destinations. All active 10.6.x and 11.x release branches are affected, along with end-of-life 11.0.x and 11.1.x branches, covering a broad swath of production Drupal deployments. No public exploit code has been identified and EPSS sits at the 3rd percentile, but the large Drupal deployment footprint elevates aggregate exposure even at low per-instance exploitation probability.
Server-Side Request Forgery in the Drupal OpenAI Provider module enables authenticated administrators to force the server to issue HTTP requests to attacker-controlled destinations, potentially reaching internal network resources beyond the intended API boundary. Affected versions span 0.0.0 through 1.1.1 and 1.2.0 through 1.2.2; a vendor patch is available via Drupal security advisory SA-CONTRIB-2026-053. No public exploit code exists, EPSS sits at 0.14% (4th percentile), and SSVC confirms exploitation status as none - all signals converge on a low operational priority despite the network-accessible attack vector.
Server-side request forgery in Typebot before 3.17.2 lets an authenticated workspace editor or creator bypass the shared SSRF validator using the IPv6 unspecified address :: (and its expanded form), which validateIPAddress in packages/lib/src/ssrf/validateHttpReqUrl.ts fails to block. By configuring a server-side HTTP Request block or guarded script fetch, an attacker coerces the Typebot server to reach local HTTP services via safeKy, including flows reachable through startChat and continueChat endpoints. No public exploit identified at time of analysis, but the fix is confirmed in 3.17.2 and the technical root cause is documented in the vendor advisory.
Server-Side Request Forgery in Misskey's UrlPreviewService allows remote unauthenticated attackers to coerce the platform's backend into initiating outbound HTTP connections toward loopback addresses, RFC-1918 private ranges, and link-local networks. The root cause is that IP address validation is applied only after the TCP connection has already been established, meaning the outbound request reaches the internal target before the check rejects it. Per vendor disclosure, response data is not believed to be returned to the attacker, limiting the impact to blind SSRF with potential for triggering internal service side effects. No public exploit identified at time of analysis, and a fix is available in version 2026.6.0.
GNU Wget's FTP passive mode implementation fails to validate the IP address returned in a server's PASV response, enabling a malicious FTP server - or any HTTP server issuing a redirect to an ftp:// URL - to redirect Wget's data connection to an arbitrary internal IP address and port. All Wget releases through 1.25.0 (prior to upstream commit 4f85853) are affected, exposing any host running Wget to server-side request forgery (SSRF) that can probe or interact with localhost services and internal network resources. No confirmed active exploitation exists (SSVC: exploitation none), and no public POC exploit has been identified at time of analysis; the NVD-provided CVSS attack vector (AV:L) appears inconsistent with the network-based attack mechanism and may be an error.
Server-side request forgery in coturn TURN/STUN server before 4.13.0 lets an authenticated TURN client bypass the default loopback-peer guard by supplying the IPv4-mapped IPv6 address ::ffff:127.0.0.1 in the XOR-PEER-ADDRESS attribute, relaying traffic to services bound only to the coturn host's localhost. The loopback check evaluates the literal IPv6 loopback shape before IPv4-mapped IPv6 normalization, so good_peer_addr never applies the rejection even when allow-loopback-peers is disabled. No public exploit identified at time of analysis and it is not listed in CISA KEV, but the fix is confirmed in version 4.13.0.
Server-side request forgery in Kimai 2.56.0 allows authenticated users with write access to Markdown-rendered invoice fields to force the application server to issue outbound HTTP requests to attacker-controlled or internal network destinations. The vulnerability surfaces during invoice PDF preview and generation, where user-controlled Markdown is processed through an md2html filter and handed to mPDF, which fetches embedded image URLs server-side even with safe mode enabled. A proof-of-concept was developed and responsibly disclosed to the vendor - it is not publicly available - and no active exploitation has been confirmed; however, the attack path is mechanically simple for any user with access to customer invoice text fields such as Customer.invoiceText.
Server-side request forgery in the file_type content detector of guardrails-detectors (a component shipped with Red Hat OpenShift AI/RHOAI) allows a remote attacker to submit an arbitrary XML Schema Definition (XSD) that the parser resolves without restriction, coercing the server into fetching attacker-chosen URLs or reading local files. Because the CVSS vector is AV:N/PR:N/UI:N with a changed scope and high confidentiality impact (base score 9.3), an unauthenticated attacker can pivot into internal networks and harvest secrets such as cloud provider credentials. There is no public exploit identified at time of analysis, and the flaw is not listed in CISA KEV.
Unauthenticated blind SSRF via DNS rebinding in PraisonAI before 4.6.78 allows remote attackers to reach internal services through the Jobs API /api/v1/runs endpoint without credentials. The webhook_url parameter is validated at request intake but re-resolved at connection time, creating a TOCTOU window exploitable by an attacker who controls a malicious DNS server - flipping the resolved IP from a legitimate external address to an internal target after validation passes. No public exploit code or CISA KEV listing exists at time of analysis; the unauthenticated network vector (AV:N/PR:N) makes this a meaningful risk for any internet-exposed PraisonAI deployment, particularly in cloud environments where internal metadata APIs may be reachable.
Server-side request forgery in Crawl4AI's Docker API server (versions before 0.8.7) allows remote unauthenticated attackers to coerce the server into making arbitrary internal requests. The /crawl/job and /llm/job endpoints accept caller-supplied webhook URLs without validating the destination, so an attacker can target private IP ranges, Docker network internals, or the cloud metadata endpoint (169.254.169.254) to reach otherwise unreachable services and harvest credentials. CVSS 4.0 rates it 9.2 (critical); no public exploit identified at time of analysis, and it is not listed in CISA KEV.
Server-Side Request Forgery in the guardrails-detectors component allows a remote attacker to submit a crafted XML Schema Definition (XSD) that forces the service to make attacker-directed requests, reaching cloud metadata services, the Kubernetes API, internal MinIO object storage, and other internal endpoints, and to read local files such as service account tokens and pod secrets. Because the flaw is blind SSRF chained to local file disclosure inside a container/Kubernetes context, an attacker can harvest credentials and pivot deeper into the cluster. No public exploit identified at time of analysis, but the CVSS 9.3 rating and scope-changing impact make this high priority for affected AI-guardrails deployments.
Server-Side Request Forgery in the All-in-One Video Gallery WordPress plugin (all versions through 4.8.5) enables a two-stage attack where a subscriber-level authenticated user plants an internal or loopback URL into a video post's mp4 meta field via the XML-RPC wp.newPost method, then any unauthenticated party can trigger the ?vdl=<post_id> endpoint to force the server to fetch that URL and stream the full response body - enabling reconnaissance of internal services including cloud metadata endpoints. The CVSS scope change (S:C) captures the critical decoupling: subscriber-level credentials are needed only for setup, while the actual SSRF trigger requires no authentication at all. No public exploit identified at time of analysis, though the Wordfence advisory documents the complete attack chain with specific code line references.
Server-side request forgery in zhayujie CowAgent versions up to 2.1.1 allows remote unauthenticated attackers to manipulate the `image` argument passed to `_build_image_content` or `_download_to_data_url` within the Vision Tool component, forcing the server to issue arbitrary outbound HTTP requests to attacker-specified destinations. The CVSS 4.0 vector (AV:N/AC:L/AT:N/PR:N/UI:N) confirms exploitation requires no authentication and no special conditions, making this trivially accessible over the network. Exploit code has been publicly disclosed (CVSS 4.0 E:P per VulDB submission), raising real-world risk; no CISA KEV listing exists at time of analysis, so confirmed mass exploitation is not established.
Server-side request forgery in Sipeed PicoClaw up to version 0.2.9 allows remote attackers to manipulate the WebFetchTool.Execute function within the Guarded Web Fetch Flow component, causing the server to issue arbitrary outbound requests on behalf of the attacker. The vulnerability carries a CVSS 4.0 base score of 2.1, reflecting limited confidentiality, integrity, and availability impact with no subsequent-system scope change. A public exploit has been released (E:P confirmed), but no vendor patch exists - the upstream GitHub issue was closed automatically due to inactivity, not resolution.
Authentication bypass in Hermes WebUI before 0.51.307 lets unauthenticated remote attackers reach onboarding endpoints that are supposed to be restricted to loopback traffic by spoofing an X-Forwarded-For header with a 127.0.0.1 value. Once past the origin check, an attacker can pivot to server-side request forgery against internal services and cloud metadata endpoints, overwrite LLM provider configuration and API keys, or start an OAuth device-code flow to mint persistent tokens saved in auth.json. A vendor patch exists; the flaw carries a CVSS 4.0 score of 9.3, but no public exploit code has been identified at time of analysis.
Server-side request forgery in YesWiki's Bazar ActivityPub module (through v4.6.5) lets an unauthenticated remote attacker coerce the server into fetching arbitrary attacker-chosen URLs. The public inbox route parses the HTTP Signature header and issues a server-side GET to the attacker-supplied keyId URL before any signature or URL validation, enabling internal port scanning, service enumeration, and cloud IAM metadata theft (169.254.169.254). Publicly available exploit code exists (a detailed PoC with a working request), and verbose 500 exception/stack-trace responses act as a data oracle; there is no CISA KEV listing.
Signature-verification bypass in YesWiki (v4.6.5 and earlier, ActivityPub-federated Bazar forms) lets an unauthenticated remote attacker forge a valid ActivityPub actor and have Create/Update/Delete activities processed as if properly signed. The flaw stems from HttpSignatureService::verifySignature() using a loose boolean check (!openssl_verify(...)) that treats openssl_verify()'s -1 internal-error return as success. A detailed proof-of-concept exists (publicly available exploit code exists) demonstrating full CRUD on Bazar entries; the issue is not in CISA KEV and no EPSS score was provided.
Server-side request forgery in Palo Alto Networks PAN-OS allows an authenticated administrator with access to the management web interface to weaponize the firewall as an unauthorized network relay, making requests to internal services on behalf of the attacker. Exploitation is constrained by the requirement for high-privilege administrator credentials (PR:H) and network reachability to the management interface, substantially limiting the realistic attacker population. No public exploit code or active exploitation has been identified; the vendor's own CVSS 4.0 supplemental metrics rate exploitation status as Unreported (E:U) and urgency as Amber.
Server-side request forgery in aerostackdev aerostack-mcp's mcp-whatsapp component allows authenticated remote attackers to manipulate the `media_url` argument of the `upload_media` function, causing the server to issue arbitrary outbound HTTP requests on the attacker's behalf. Affected installations span all commits up to 6315dfde7df0a15aaf743f88d91347115e09ba23 with no vendor patch available and no maintainer response to the disclosure. No public exploit has been identified at time of analysis, and the vulnerability is not listed in the CISA KEV catalog.
Server-side request forgery (and cross-scheme local file disclosure) in the Ruby css_parser gem (all versions prior to 3.0.0) lets an attacker who can land a single @import url(...) rule in parsed CSS force the server to issue arbitrary HTTP/HTTPS GETs to any internal host, port or IP, and — via an attacker-controlled 302 redirect to a file:// URI — read local files. Premailer-style consumers that re-emit the parsed CSS into rendered HTML/email leak any CSS-shaped response bytes back to the attacker, turning this into a data-exfiltration channel rather than a blind SSRF. No public CVSS is published and it is not in CISA KEV, but a complete working proof-of-concept (poc.rb) is included in the advisory, so publicly available exploit code exists.
SSRF protection bypass in pyload-ng allows authenticated users with link-add permissions to reach internal network endpoints - including cloud metadata services - by supplying IPv6 transition-encoded addresses that Python's `ipaddress.IPv6Address.is_global` incorrectly classifies as globally routable. The NAT64 prefix (`64:ff9b::/96`) bypass is universal across all supported Python versions (3.9-3.14); the 6to4 prefix (`2002::/16`) bypass additionally affects Python 3.9-3.11, covering the full `python_requires = >=3.9` matrix. No confirmed active exploitation (CISA KEV) has been identified, but a researcher-provided proof-of-concept demonstrates full bypass of both the `is_global_address` guard and the pycurl PREREQFUNC in `http_request.py:680`.
The Fediverse Embeds WordPress plugin before 1.5.8 does not validate the destination of the server-side request performed by an unauthenticated site-info endpoint before fetching it, allowing anonymous users (the gating nonce is exposed on public pages carrying an embed) to make the site request internal and private-network URLs and read back the parsed page metadata. This is a Server-Side Request Forgery.
The Fediverse Embeds WordPress plugin before 1.5.8 does not validate the destination of the server-side request performed by an unauthenticated media-proxying endpoint, allowing anonymous users to make the site fetch arbitrary URLs, including internal and private-network addresses, and read back the response body. This results in a full-read Server-Side Request Forgery and open proxy.
Server-side request forgery in Monsta FTP before 2.14.5 lets an unauthenticated remote attacker coerce the server into making HTTP requests to internal-only services and exfiltrate the responses. The flaw lives in the fetchRemoteFile action, where the isBlockedIP() SSRF filter fails to recognize IPv4-mapped IPv6 addresses, so blocklisted internal ranges can be reached anyway; a CSRF token is trivially obtainable from the public getSystemVars endpoint. Impact is notable because the primary abuse case is stealing cloud instance metadata credentials, though no public exploit is identified at time of analysis.
Open redirect and client-side SSRF in Gradio before 6.20.0 expose cloud infrastructure credentials to network attackers via the /gradio_api/file= endpoint. The file_fetch() function accepts unvalidated HTTP/HTTPS URLs from attacker-controlled FileData responses, enabling redirection of victim browsers to arbitrary destinations including cloud metadata services such as the EC2 instance metadata endpoint (169.254.169.254). Successful exploitation in cloud-hosted Gradio deployments allows retrieval of IAM role credentials, achieving high subsequent-system confidentiality impact. No public exploit or CISA KEV listing is identified at time of analysis; a fix is available in version 6.20.0.
Server-Side Request Forgery in Python Zeep 4.0.0 through 4.3.2 allows an attacker who can influence WSDL or XSD content parsed by the library to bypass the explicit `Settings.forbid_external` security control, causing the server to issue HTTP or HTTPS requests to attacker-chosen URLs via transitive xsd:import, xsd:include, wsdl:import, or lxml entity and DTD references. The vulnerability is particularly significant because it defeats a documented security setting that developers actively configure to prevent external fetching - applications relying on this control are silently unprotected. No public exploit has been identified at time of analysis and the vulnerability is not listed in CISA KEV.
Server-side request forgery in Repomix's hosted API (POST /api/pack) lets unauthenticated remote attackers coerce the server into making arbitrary outbound requests. Because the endpoint passes user-supplied URLs to git clone without validating the http://, https://, or file:// schemes, an attacker can reach internal-only network addresses, cloud metadata endpoints (e.g. GCP), and read local filesystem paths. VulnCheck reported the flaw and a vendor fix exists; no public exploit is identified at time of analysis.
Security-control bypass in oasdiff v1.13.2-v1.18.0 silently negates the `--allow-external-refs=false` safety flag when loading OpenAPI specifications via the git-revision input form (`rev:path`, e.g. `main:openapi.yaml`), leaving callers exposed to SSRF and local file disclosure despite explicitly intending to sandbox untrusted spec processing. Malicious `$ref` URIs embedded in a spec - pointing to internal HTTP endpoints or local filesystem paths - are resolved on the git-revision load path even when the policy is set, while the file-path and URL load paths correctly enforce the restriction. No public exploit code has been identified at time of analysis and the vulnerability is not in CISA KEV; vendor-released patch v1.18.1 is available.
Server-side request forgery in FastGPT before 4.15.0-beta4 lets an authenticated team member abuse the HTTP-tool OpenAPI schema importer to reach internal-only services and cloud instance metadata. Because the importer only validates the top-level URL and then hands the document to SwaggerParser.bundle, whose $ref resolver fetches remote references without FastGPT's internal-address guard, fetched content is returned inline to the caller. There is no public exploit identified at time of analysis and it is not in CISA KEV, but the vendor advisory (GHSA-72hf-5382-2mq9) confirms the flaw and its fix.
Sensitive information disclosure and server-side request forgery in mem0's self-hosted server let unauthenticated remote attackers steal stored LLM provider credentials and pivot into internal infrastructure. Because the /api/v1/config/ endpoints require no authentication (CWE-306), an attacker can GET plaintext secrets such as OpenAI API keys and PUT a malicious ollama_base_url to coerce the server into requesting internal-only addresses like cloud instance metadata (IMDS). CVSS 4.0 rates this 9.2 (Critical); there is no public exploit identified at time of analysis, but the attack is trivial and reported by VulnCheck.
Server-side request forgery in the @better-auth/sso plugin (versions >= 0.1.0 through < 1.6.11, and 1.7.0-beta.x) lets any authenticated Better Auth session register an OIDC provider with attacker-controlled endpoint URLs, which the auth server then fetches during callback and reflects into the user profile - a non-blind SSRF exposing cloud metadata (IMDS 169.254.169.254), internal APIs, and localhost-bound services like Redis. When trustEmailVerified is enabled it escalates to full account takeover via forged emailVerified claims. Carrying a CVSS 9.6 (scope-changed) rating with no public exploit identified at time of analysis, the flaw was reported by Vaadata and fixed in 1.6.11.
Server-side request forgery in LocalAI's POST /models/apply endpoint lets unauthenticated remote attackers coerce the server into issuing HTTP GET requests to arbitrary internal, private, and loopback addresses, with partial response bodies disclosed back through error messages. The flaw stems from passing attacker-controlled gallery URL fields into gallery.GetGalleryConfigFromURLWithContext without validation, giving attackers a network pivot from the internet into otherwise unreachable back-end services. Reported by VulnCheck with a vendor patch available; no public exploit identified at time of analysis and the CVSS 4.0 base score is 9.2 (Critical).
Quick Facts
- Typical Severity
- HIGH
- Category
- web
- Total CVEs
- 2848