Skip to main content

Server-Side Request Forgery

web HIGH

Server-Side Request Forgery exploits applications that fetch remote resources based on user-supplied URLs.

How It Works

Server-Side Request Forgery exploits applications that fetch remote resources based on user-supplied URLs. When a web server accepts a URL parameter to retrieve external content—for example, to proxy images, validate webhooks, or import data—an attacker can manipulate that parameter to make the server send requests to unintended destinations. The critical issue is that these requests originate from the server itself, bypassing firewalls and network controls that would block direct external access.

Attacks come in several forms. Direct SSRF gives the attacker full control over the destination URL, allowing them to target internal services like http://localhost:8080/admin or cloud metadata endpoints at http://169.254.169.254/latest/meta-data/. Blind SSRF occurs when the application makes the request but doesn't return the response to the attacker—they must rely on timing differences or out-of-band techniques to confirm success. Partial SSRF restricts the attacker to modifying only part of the URL, such as the hostname or path, requiring more creative exploitation.

The typical attack flow starts with identifying URL parameters that trigger server-side requests. The attacker then probes for internal services by injecting internal IP addresses or localhost references. Common targets include administrative interfaces, internal REST APIs, Redis or Memcached instances, and especially cloud metadata services that expose IAM credentials. Attackers often employ bypass techniques like encoding IPs in decimal format (2130706433 for 127.0.0.1), exploiting URL parser discrepancies between validation and execution layers, or chaining with open redirects to evade basic filters.

Impact

  • Access to internal services that should be network-isolated—admin panels, monitoring dashboards, configuration endpoints
  • Cloud credential theft via metadata APIs, particularly AWS IAM role credentials exposed at 169.254.169.254
  • Reading local files through file:// protocol support, exposing configuration files and source code
  • Network reconnaissance to map internal infrastructure and identify additional attack targets
  • Remote code execution on back-end systems like Redis or Elasticsearch that accept commands over HTTP
  • Pivoting deeper into internal networks by using the compromised server as a proxy for further attacks

Real-World Examples

Capital One suffered a massive breach in 2019 when an attacker exploited SSRF in a web application firewall to query AWS metadata services, stealing credentials that granted access to over 100 million customer records. The vulnerability allowed requests to the internal metadata endpoint that should have been unreachable.

Shopify's infrastructure exposed internal Google Cloud metadata in 2020 through an image proxy feature. Security researchers demonstrated they could retrieve service account credentials by tricking the proxy into fetching from the metadata API, potentially compromising the entire GCP environment.

Numerous CVEs in enterprise products highlight SSRF in common features: webhook validators in GitLab, PDF generators that fetch remote images, and document conversion services. These typically manifest when URL validation assumes all requests will target external internet resources, failing to anticipate internal network abuse.

Mitigation

  • Allowlist approved destination domains rather than trying to blocklist dangerous ones—only permit necessary external services
  • Disable unnecessary URL schemes entirely (file://, gopher://, dict://)—restrict to https:// only where possible
  • Network segmentation to prevent application servers from reaching internal infrastructure—use separate VLANs or VPCs
  • Deploy cloud metadata protections like AWS IMDSv2 requiring session tokens, making metadata unavailable to simple HTTP requests
  • Validate and parse URLs consistently using a single library, then verify resolved IP addresses aren't private ranges
  • Remove response bodies from errors to prevent information disclosure in blind SSRF scenarios

Recent CVEs (2866)

EPSS 0% CVSS 2.7
LOW Monitor

A flaw was found in Keycloak’s CIBA feature where insufficient validation of client-configured backchannel notification endpoints could allow blind server-side requests to internal services. [CVSS 2.7 LOW]

SSRF
NVD
EPSS 0% CVSS 7.1
HIGH POC PATCH This Week

TrustTunnel versions prior to 0.9.114 fail to validate private network restrictions when processing numeric IP addresses in TCP connections, enabling authenticated attackers to bypass SSRF protections and reach loopback or internal network targets. The vulnerability exists because IP-based connection requests skip the same security checks applied to hostname-based requests. Public exploit code exists; upgrade to version 0.9.114 or later to remediate.

SSRF Trusttunnel
NVD GitHub
EPSS 0% CVSS 4.9
MEDIUM POC PATCH This Month

NocoDB versions prior to 0.301.0 contain a blind SSRF vulnerability in the uploadViaURL feature where an unvalidated HEAD request allows authenticated attackers to probe arbitrary URLs and internal networks before SSRF protections are enforced. Public exploit code exists for this vulnerability, though it has limited impact due to the lack of response data exfiltration. Users should upgrade to version 0.301.0 or later, though no patch is currently available for older versions.

SSRF Nocodb Suse
NVD GitHub
EPSS 0% CVSS 7.6
HIGH This Week

Discourse is an open source discussion platform. In versions prior to 3.5.4, 2025.11.2, 2025.12.1, and 2026.1.0, a hostname validation issue in FinalDestination could allow bypassing SSRF protections under certain conditions. [CVSS 7.6 HIGH]

SSRF Discourse
NVD GitHub
EPSS 0% CVSS 4.0
MEDIUM POC This Month

ILIAS Learning Management System 4.3 contains a server-side request forgery vulnerability that allows attackers to read local files through portfolio PDF export functionality. [CVSS 4.0 MEDIUM]

SSRF Ilias
NVD GitHub Exploit-DB
EPSS 0% CVSS 7.2
HIGH This Week

The TableMaster for Elementor plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 1.3.6. This is due to the plugin not restricting which URLs can be fetched when importing CSV data from a URL in the Data Table widget. This makes it possible for authenticated attackers, with Author-level access and above, to make web requests to arbitrary locations, including localhost and internal network services, and read sensitive files such as wp-config....

WordPress PHP SSRF
NVD
EPSS 0% CVSS 7.1
HIGH POC PATCH This Week

vLLM before version 0.14.1 contains a server-side request forgery vulnerability in the MediaConnector class where inconsistent URL parsing between libraries allows attackers to bypass host restrictions and force the server to make arbitrary requests to internal network resources. Public exploit code exists for this vulnerability, which poses significant risk in containerized environments where a compromised vLLM instance could be leveraged to access restricted internal systems. The vulnerability affects users running vLLM's multimodal features with untrusted input.

Python SSRF Denial Of Service +2
NVD GitHub VulDB
EPSS 0% CVSS 9.1
CRITICAL POC Act Now

Server-Side Request Forgery (SSRF) vulnerability in Squidex CMS webhook configuration allows authenticated administrators to make requests to internal services by specifying localhost or internal IP addresses as webhook destinations. PoC available.

SSRF Squidex
NVD GitHub
EPSS 0% CVSS 6.4
MEDIUM This Month

The AI Engine plugin for WordPress versions up to 3.3.2 contains a server-side request forgery vulnerability in the 'get_audio' function that allows authenticated subscribers and higher-privileged users to make arbitrary web requests from the server. When the Public API setting is enabled and allow_url_fopen is active, attackers can query and modify data on internal services accessible to the web application. No patch is currently available for this vulnerability.

WordPress SSRF AI / ML
NVD
EPSS 0% CVSS 9.1
CRITICAL PATCH Act Now

XXE (XML External Entity) injection in AssertJ Java testing library from 1.4.0 to before 3.27.7 allows reading arbitrary files when parsing XML assertions. Patch available.

Java SSRF XXE +4
NVD GitHub
EPSS 0% CVSS 5.3
MEDIUM This Month

Blind Server-Side Request Forgery (SSRF) in Omada Controllers through webhook functionality, enabling crafted requests to internal services, which may lead to enumeration of information. [CVSS 5.3 MEDIUM]

SSRF Omada Controller
NVD
EPSS 0% CVSS 7.2
HIGH This Week

Unauthenticated attackers can exploit a Server-Side Request Forgery vulnerability in the WordPress Frontis Blocks plugin (versions up to 1.1.6) through unvalidated URL parameters in the template proxy endpoints to perform arbitrary web requests from the affected server. This allows an attacker to scan internal networks, access local services, or exfiltrate sensitive data without authentication. No patch is currently available.

WordPress SSRF
NVD
EPSS 0% CVSS 4.0
MEDIUM POC This Month

YetiShare File Hosting Script 5.1.0 contains a server-side request forgery vulnerability that allows attackers to read local system files through the remote file upload feature. [CVSS 4.0 MEDIUM]

SSRF
NVD Exploit-DB
EPSS 0% CVSS 5.4
MEDIUM This Month

Prince Radio Player versions 2.0.91 and earlier are vulnerable to Server-Side Request Forgery (SSRF), enabling unauthenticated remote attackers to make arbitrary requests from the affected server. This could allow attackers to access internal resources, scan internal networks, or interact with backend services that should not be directly accessible.

SSRF
NVD
EPSS 0% CVSS 7.5
HIGH This Week

Unauthenticated Server-Side Request Forgery (SSRF) in FOG 1.5.10.1754 and earlier allows remote attackers to read internal files and access local services by manipulating the url parameter in getversion.php when newService=1 is present. The vulnerability requires no authentication or user interaction and affects the confidentiality of sensitive data accessible from the affected system. No patch is currently available.

PHP SSRF
NVD GitHub
EPSS 0% CVSS 5.3
MEDIUM PATCH This Month

Rekor versions 1.4.3 and earlier contain a server-side request forgery (SSRF) vulnerability in the /api/v1/index/retrieve endpoint that allows unauthenticated remote attackers to probe internal networks through blind SSRF attacks by supplying arbitrary URLs for public key retrieval. While the vulnerability cannot directly exfiltrate data or modify state since responses are not returned and only GET requests are supported, it enables reconnaissance of internal infrastructure. The issue is patched in version 1.5.0, or can be mitigated by disabling the retrieve API with --enable_retrieve_api=false.

SSRF Rekor Red Hat +1
NVD GitHub
EPSS 0% CVSS 5.4
MEDIUM This Month

ThemeGoods PhotoMe versions below 5.7.2 contain a server-side request forgery vulnerability that allows unauthenticated attackers to perform arbitrary HTTP requests on behalf of the affected server. The vulnerability requires user interaction to exploit and can lead to information disclosure or unintended modifications on the target system. No patch is currently available.

SSRF
NVD
EPSS 0% CVSS 4.4
MEDIUM This Month

Craig Hewitt Seriously Simple Podcasting seriously-simple-podcasting is affected by server-side request forgery (ssrf) (CVSS 4.6).

SSRF
NVD
EPSS 0% CVSS 4.9
MEDIUM This Month

IMGspider WordPress plugin has a Server-Side Request Forgery vulnerability enabling attackers to make the server perform requests to internal network resources.

SSRF
NVD
EPSS 0% CVSS 5.4
MEDIUM This Month

SmartDataSoft Electrician - Electrical Service WordPress electrician is affected by server-side request forgery (ssrf) (CVSS 5.4).

WordPress SSRF
NVD
EPSS 0% CVSS 7.2
HIGH This Week

WP Messiah Frontis Blocks frontis-blocks is affected by server-side request forgery (ssrf) (CVSS 7.2).

SSRF
NVD
EPSS 0% CVSS 6.4
MEDIUM This Month

Server-Side Request Forgery (SSRF) vulnerability in Marco van Wieren WPO365 wpo365-login allows Server Side Request Forgery.This issue affects WPO365: from n/a through <= 40.0. [CVSS 6.4 MEDIUM]

SSRF
NVD
EPSS 0% CVSS 4.9
MEDIUM This Month

Marco Milesi ANAC XML Viewer anac-xml-viewer is affected by server-side request forgery (ssrf) (CVSS 4.9).

SSRF
NVD
EPSS 0% CVSS 5.4
MEDIUM This Month

Pool Services WordPress plugin has a Server-Side Request Forgery vulnerability allowing attackers to make the server perform arbitrary HTTP requests to internal and external targets.

SSRF
NVD
EPSS 0% CVSS 7.5
HIGH POC This Week

A Local File Inclusion (LFI) and a Server-Side Request Forgery (SSRF) vulnerability was found in the InsertFromHtmlString() function of the Apryse HTML2PDF SDK thru 11.6.0. [CVSS 7.5 HIGH]

SSRF Html2pdf Information Disclosure
NVD
EPSS 0% CVSS 3.5
LOW PATCH Monitor

Backstage is an open framework for building developer portals, and @backstage/backend-defaults provides the default implementations and setup for a standard Backstage backend app. Prior to versions 0.12.2, 0.13.2, 0.14.1, and 0.15.0, the `FetchUrlReader` component, used by the catalog and other plugins to fetch content from URLs, followed HTTP redirects automatically. This allowed an attacker who controls a host listed in `backend.reading.allow` to redirect requests to internal or sensitive U...

SSRF Open Redirect
NVD GitHub
EPSS 0% CVSS 5.8
MEDIUM PATCH This Month

Keycloak's OpenID Connect Dynamic Client Registration feature fails to validate jwks_uri values when clients authenticate via private_key_jwt, allowing attackers to redirect the server to arbitrary network endpoints. This enables reconnaissance and information disclosure attacks against internal services and cloud metadata endpoints accessible from the Keycloak server. No patch is currently available for this MEDIUM severity vulnerability.

Information Disclosure SSRF Red Hat
NVD
EPSS 0% CVSS 8.3
HIGH POC PATCH This Week

Server-side request forgery in Chainlit before 2.9.4 lets an authenticated user coerce the server into fetching an attacker-supplied URL, exposing internal network services and cloud metadata endpoints. The flaw lives in the /project/element update flow specifically when Chainlit is deployed with the SQLAlchemy data layer backend, whose element-creation logic issues an outbound HTTP GET against a user-controlled url field and persists the response through the configured storage provider. Publicly available exploit code exists (documented in Zafran's 'ChainLeak' research), though the flaw is not listed in CISA KEV and its EPSS probability is low at 0.04%.

SSRF Chainlit
NVD GitHub VulDB
EPSS 0% CVSS 5.8
MEDIUM POC PATCH This Month

Mailpit versions before 1.28.3 contain a server-side request forgery vulnerability in the HTML Check feature that allows unauthenticated attackers to trigger arbitrary HTTP requests by crafting malicious CSS links in email messages. The vulnerability exists in the CSS inlining function which automatically downloads external stylesheets without proper validation. Public exploit code exists for this issue, though a patch is available in version 1.28.3 and later.

SSRF Mailpit Suse
NVD GitHub
EPSS 0% CVSS 7.5
HIGH POC PATCH This Week

WeasyPrint helps web developers to create PDF documents. Prior to version 68.0, a server-side request forgery (SSRF) protection bypass exists in WeasyPrint's `default_url_fetcher`. The vulnerability allows attackers to access internal network resources (such as `localhost` services or cloud metadata endpoints) even when a developer has implemented a custom `url_fetcher` to block such access. This occurs because the underlying `urllib` library follows HTTP redirects automatically without re-va...

SSRF Weasyprint Open Redirect
NVD GitHub VulDB
EPSS 0% CVSS 2.1
LOW POC Monitor

Teamwork Management System versions up to 2.28.0. is affected by server-side request forgery (ssrf) (CVSS 6.3).

Java SSRF
NVD GitHub VulDB
EPSS 0% CVSS 2.2
LOW Monitor

The Church Admin plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 5.0.28 due to insufficient validation of user-supplied URLs in the 'audio_url' parameter. [CVSS 2.2 LOW]

WordPress SSRF
NVD
EPSS 0% CVSS 7.7
HIGH This Week

Arbitrary file read vulnerability in Kafka Connect BigQuery Connector prior to version 2.11.0 allows authenticated attackers to read sensitive files by injecting malicious credential configurations through improperly validated credential_source parameters. An attacker with connector configuration privileges can exploit this to access arbitrary files on the system or perform server-side request forgery attacks against internal endpoints. No patch is currently available for affected Apache Kafka deployments.

Apache SSRF
NVD GitHub
EPSS 0% CVSS 7.5
HIGH This Week

The Librarian's web_fetch tool can be exploited via SSRF to perform unauthorized GET requests against internal IP addresses and cloud services within the Hertzner environment, allowing attackers to conduct port scanning and reconnaissance of the infrastructure. This unauthenticated network-based attack requires no user interaction and could expose sensitive internal services and their configurations. While the vendor has released patches, exploitation remains possible on unpatched instances.

SSRF AI / ML The Librarian
NVD
EPSS 0% CVSS 5.0
MEDIUM This Month

The DK PDF - WordPress PDF Generator plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 2.3.0 via the 'addContentToMpdf' function. [CVSS 5.0 MEDIUM]

WordPress SSRF
NVD
EPSS 0% CVSS 6.1
MEDIUM POC This Month

Lucy XSS Filter with ObjectSecurityListener or EmbedSecurityListener enabled is vulnerable to server-side request forgery (SSRF) via malformed embed or object tags lacking file extensions in src attributes, allowing remote attackers to trigger arbitrary HEAD requests to internal or external URLs. Public exploit code exists for this vulnerability, and no patch is currently available.

SSRF XSS Lucy Xss Filter
NVD GitHub
EPSS 0% CVSS 5.3
MEDIUM POC This Month

Umbraco CMS v8.14.1 contains a server-side request forgery vulnerability that allows attackers to manipulate baseUrl parameters in multiple dashboard and help controller endpoints. [CVSS 5.3 MEDIUM]

SSRF Umbraco Cms
NVD Exploit-DB
EPSS 0%
This Week

Server-Side Request Forgery (SSRF) vulnerability in Sonatype Nexus Repository 3 versions 3.0.0 and later allows authenticated administrators to configure proxy repositories with URLs that can access unintended network destinations, potentially including cloud metadata services and internal network resources.

SSRF
NVD
EPSS 0% CVSS 8.6
HIGH This Week

The Google Gemini connector in AI/ML products allows authenticated users with connector management privileges to read arbitrary files through unvalidated file path and network request parameters in credential configurations. An attacker with sufficient authentication access can craft malicious JSON payloads to trigger server-side requests and disclose sensitive files from the affected system. This vulnerability requires valid credentials and administrative privileges but presents a high risk of confidential data exposure.

SSRF Google
NVD VulDB
EPSS 0% CVSS 7.2
HIGH This Week

The GetContentFromURL plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 1.0. This is due to the plugin using wp_remote_get() instead of wp_safe_remote_get() to fetch content from a user-supplied URL in the 'url' parameter of the [gcfu] shortcode. [CVSS 7.2 HIGH]

WordPress SSRF PHP
NVD
EPSS 0% CVSS 5.4
MEDIUM PATCH This Month

Microsoft SharePoint Server contains a server-side request forgery vulnerability that allows authenticated users to access sensitive information across the network. An attacker with valid credentials can exploit this flaw to disclose confidential data without requiring user interaction. No patch is currently available for this issue.

Microsoft SSRF Sharepoint Server
NVD
EPSS 0% CVSS 3.8
LOW Monitor

A Server-Side Request Forgery (SSRF) vulnerability [CWE-918] vulnerability in Fortinet FortiSandbox 5.0.0 through 5.0.4, FortiSandbox 4.4 all versions, FortiSandbox 4.2 all versions, FortiSandbox 4.0 all versions may allow an authenticated attacker to proxy internal requests limited to plaintext endpoints only via crafted HTTP requests. [CVSS 3.8 LOW]

Fortinet SSRF
NVD
EPSS 0% CVSS 6.5
MEDIUM POC This Month

Insecure permissions in Hubert Imoveis e Administracao Ltda Hub v2.0 1.27.3 allows authenticated attackers with low-level privileges to access other users' information via a crafted API request. [CVSS 6.5 MEDIUM]

SSRF Hub
NVD GitHub
EPSS 0% CVSS 2.1
LOW Monitor

Metabase is an open-source data analytics platform. versions up to 55.13 is affected by server-side request forgery (ssrf).

SSRF Metabase
NVD GitHub
EPSS 0% CVSS 5.8
MEDIUM POC PATCH This Month

Fulcio versions prior to 1.8.5 allow unauthenticated attackers to bypass MetaIssuer URL validation through unanchored regex patterns, enabling blind SSRF attacks against internal services. Although the vulnerability is limited to read-only GET requests with no response exfiltration, attackers can probe internal networks to discover active services and infrastructure. Public exploit code exists for this medium-severity issue, and a patch is available in version 1.8.5.

SSRF Fulcio Red Hat +1
NVD GitHub
EPSS 0% CVSS 4.3
MEDIUM This Month

The Featured Image from URL (FIFU) plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 5.3.1. This is due to insufficient validation of user-supplied URLs before passing them to the getimagesize() function in the Elementor widget integration. [CVSS 4.3 MEDIUM]

WordPress SSRF PHP
NVD
EPSS 0% CVSS 5.1
MEDIUM PATCH This Month

Ghost is a Node.js content management system. In versions 5.38.0 through 5.130.5 and 6.0.0 through 6.10.3, a vulnerability in Ghost’s media inliner mechanism allows staff users in possession of a valid authentication token for the Ghost Admin API to exfiltrate data from internal systems via SSRF. [CVSS 2.7 LOW]

Node.js SSRF
NVD GitHub
EPSS 0% CVSS 7.5
HIGH PATCH This Week

Mastodon's IP address filtering bypass (CWE-918) permits attackers to craft requests using unblocked IP ranges to reach local and loopback services, potentially exposing private resources and internal APIs. An unauthenticated remote attacker can exploit incomplete private address range validation in Mastodon instances to perform Server-Side Request Forgery (SSRF) attacks. Patched versions 4.5.4, 4.4.11, 4.3.17, and 4.2.29 are available.

SSRF Mastodon
NVD GitHub
EPSS 0% CVSS 6.5
MEDIUM POC PATCH This Month

Miniflux's media proxy endpoint is vulnerable to Server-Side Request Forgery (SSRF) in versions prior to 2.2.16, allowing authenticated users to craft malicious proxy URLs that force the application to fetch and expose responses from internal network resources including localhost and private IP ranges. An attacker with valid credentials can abuse this to access sensitive internal services and metadata endpoints by embedding specially crafted URLs in feed content. Public exploit code exists for this vulnerability, and no patch is currently available for affected installations.

SSRF Miniflux Suse
NVD GitHub
EPSS 0% CVSS 6.4
MEDIUM This Month

nK Themes Helper WordPress plugin (through 1.7.9) has SSRF enabling unauthenticated server-side requests to internal services and cloud metadata endpoints.

SSRF
NVD
EPSS 1% CVSS 5.8
MEDIUM POC PATCH This Month

Mailpit versions 1.28.0 and earlier contain a server-side request forgery vulnerability in the /proxy endpoint that permits unauthenticated attackers to probe and access internal network resources and services. The endpoint insufficiently validates destination addresses, allowing requests to internal IP ranges despite scheme validation. Public exploit code exists for this vulnerability, which is resolved in version 1.28.1.

SSRF Mailpit Suse
NVD GitHub
EPSS 0% CVSS 5.3
MEDIUM POC This Month

Smartliving SmartLAN/G/SI <=6.x contains an unauthenticated server-side request forgery vulnerability in the GetImage functionality through the 'host' parameter. [CVSS 5.3 MEDIUM]

SSRF
NVD Exploit-DB
EPSS 0% CVSS 9.1
CRITICAL POC PATCH Act Now

LibreChat 0.8.1-rc2 has SSRF in the Actions feature that allows authenticated users to make the server perform requests to internal networks. By configuring agents with malicious OpenAPI specifications, attackers can scan internal infrastructure and access internal services. PoC available, patch available.

Docker SSRF AI / ML +1
NVD GitHub
EPSS 0% CVSS 7.1
HIGH This Week

Bio-Formats versions up to 8.3.0 contain an XML External Entity (XXE) injection vulnerability in the Leica Microsystems metadata parser that fails to disable external entity expansion. A local attacker can exploit this by crafting malicious XML metadata files to trigger server-side request forgery, read local files, or cause denial of service. No patch is currently available.

XXE Denial Of Service SSRF +1
NVD GitHub
EPSS 0% CVSS 6.5
MEDIUM This Month

Knowage is an open source analytics and business intelligence suite. Prior to version 8.1.37, there is a blind server-side request forgery vulnerability. [CVSS 6.5 MEDIUM]

Industrial SSRF Knowage
NVD GitHub
EPSS 0% CVSS 4.9
MEDIUM This Month

Server-Side Request Forgery (SSRF) vulnerability in minnur External Media allows Server Side Request Forgery.This issue affects External Media: from n/a through 1.0.36. [CVSS 4.9 MEDIUM]

SSRF
NVD
EPSS 0% CVSS 2.0
LOW Monitor

Server-side request forgery in InvoiceNinja up to version 5.12.38 allows remote attackers with high privileges to manipulate the company_logo parameter during migration imports, enabling them to make arbitrary outbound requests from the affected server. Public exploit code is available and the vendor has not provided a patch or response to this disclosure. The vulnerability affects PHP and Golang environments with a CVSS score of 4.7.

PHP SSRF
NVD VulDB
EPSS 0% CVSS 6.4
MEDIUM This Month

The Xagio SEO - AI Powered SEO plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 7.1.0.30 via the 'pixabayDownloadImage' function. [CVSS 6.4 MEDIUM]

WordPress SSRF AI / ML +1
NVD
EPSS 0% CVSS 6.8
MEDIUM POC PATCH This Month

Craft is a platform for creating digital experiences. In versions 5.0.0-RC1 through 5.8.20 and 4.0.0-RC1 through 4.16.16, the Craft CMS GraphQL `save_<VolumeName>_Asset` mutation is vulnerable to Server-Side Request Forgery (SSRF). [CVSS 6.8 MEDIUM]

SSRF Craft Cms
NVD GitHub
EPSS 0% CVSS 7.9
HIGH PATCH This Week

Spinnaker is an open source, multi-cloud continuous delivery platform. Versions prior to 2025.1.6, 2025.2.3, and 2025.3.0 are vulnerable to server-side request forgery. [CVSS 7.9 HIGH]

Docker Kubernetes AWS +4
NVD GitHub
EPSS 0% CVSS 6.5
MEDIUM This Month

A Blind Server-Side Request Forgery (SSRF) vulnerability in evershop 2.1.0 and prior allows unauthenticated attackers to force the server to initiate an HTTP request via the "GET /images" API. [CVSS 6.5 MEDIUM]

SSRF Evershop
NVD GitHub
EPSS 0% CVSS 7.7
HIGH POC This Week

Server-side request forgery (SSRF) in Emlog up to version 2.5.19 allows authenticated attackers to make arbitrary HTTP requests by uploading malicious SVG files to the media upload endpoint, enabling internal network reconnaissance and potential credential exposure when the server processes the files. Public exploit code exists for this vulnerability and no patches are currently available. The flaw affects all Emlog installations accepting SVG uploads and can be exploited without user interaction once an attacker gains authenticated access.

SSRF Emlog
NVD GitHub
EPSS 0% CVSS 2.0
LOW Monitor

A flaw has been found in go-sonic sonic versions up to 1.1.4. is affected by server-side request forgery (ssrf) (CVSS 4.7).

SSRF
NVD VulDB
EPSS 0% CVSS 7.5
HIGH POC PATCH This Week

Cpp-Httplib versions up to 0.30.0 contains a vulnerability that allows attackers to add extra headers, modify request body unexpectedly & trigger an SSRF attack (CVSS 7.5).

Python SSRF Cpp Httplib +2
NVD GitHub
EPSS 0% CVSS 6.4
MEDIUM This Month

The WP Import - Ultimate CSV XML Importer for WordPress plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 7.35. This is due to inadequate validation of the resolved URL after following Bitly shortlink redirects in the `upload_function()` method. [CVSS 6.4 MEDIUM]

WordPress SSRF PHP
NVD
EPSS 0% CVSS 5.4
MEDIUM This Month

Server-Side Request Forgery (SSRF) in the WordPress & WooCommerce Scraper Plugin (wp_scraper) versions up to 1.0.7 allows unauthenticated attackers to make arbitrary HTTP requests from the affected WordPress server. The vulnerability exists in the plugin's core scraping functionality, which fails to properly validate or restrict the target URLs that can be requested. An attacker can exploit this to scan internal networks, access internal services, exfiltrate data from backend systems, or perform reconnaissance against the hosting infrastructure. No public exploit code has been identified at time of analysis, and EPSS risk is minimal at 0.01%, but the vulnerability affects all installations of the vulnerable plugin versions.

WordPress SSRF
NVD
EPSS 0% CVSS 4.9
MEDIUM This Month

Server-Side Request Forgery (SSRF) in Jthemes Genemy WordPress theme versions up to 1.6.6 allows unauthenticated remote attackers to make arbitrary HTTP requests from the affected server, potentially accessing internal resources, cloud metadata endpoints, or services restricted to localhost. No CVSS score is assigned in official databases; EPSS probability is extremely low at 0.01%, and no public exploit code or active exploitation has been identified. The vulnerability was reported by Patchstack's security audit team.

SSRF
NVD
EPSS 0% CVSS 2.1
LOW POC Monitor

Server-side request forgery (SSRF) in EyouCMS versions up to 1.7.7 allows authenticated remote attackers to manipulate the saveRemote function in application/function.php, enabling arbitrary HTTP requests from the server. The vulnerability carries low confidentiality, integrity, and availability impact but is publicly exploitable with proof-of-concept code available. Vendor has acknowledged the flaw and committed to releasing patched version 1.7.8.

PHP SSRF Eyoucms
NVD VulDB
EPSS 0% CVSS 5.5
MEDIUM This Month

A vulnerability was determined in FeehiCMS up to 2.1.1. Impacted is an unknown function of the file frontend/web/timthumb.php of the component TimThumb. Executing manipulation of the argument src can lead to server-side request forgery. The attack can be launched remotely. The exploit has been publicly disclosed and may be utilized. The vendor was contacted early about this disclosure but did not respond in any way.

PHP SSRF Feehicms
NVD VulDB
EPSS 0% CVSS 4.9
MEDIUM This Month

Server-Side Request Forgery (SSRF) in Youzify WordPress plugin through version 1.3.7 allows authenticated high-privilege users to make arbitrary network requests from the server, exposing internal resources and services. The vulnerability requires administrative credentials (PR:H) but carries high confidentiality impact with EPSS score of 0.04% indicating minimal real-world exploitation likelihood despite the moderate CVSS score of 4.9.

SSRF
NVD
EPSS 0% CVSS 4.9
MEDIUM This Month

Server-Side Request Forgery (SSRF) in WordPress Image Shrinker plugin versions up to 1.1.0 enables unauthenticated remote attackers to forge requests from the affected server to internal or external resources, potentially exposing sensitive data or enabling lateral movement within network infrastructure. The vulnerability has extremely low exploitation probability (EPSS 0.04th percentile) and no public exploit code identified, suggesting limited real-world threat despite the technical severity of SSRF vulnerabilities.

WordPress SSRF
NVD
EPSS 0% CVSS 2.1
LOW POC Monitor

Server-side request forgery in YunaiV yudao-cloud through version 2025.11 allows authenticated remote attackers to manipulate HTTP callback and sync request functionality in the Business Process Management component by controlling the URL, headers, and body parameters, enabling attackers to forge arbitrary server-side requests. The vulnerability carries a low CVSS score (2.1) due to the authenticated requirement (PR:L) and limited scope, but publicly available proof-of-concept code exists; the vendor did not respond to early disclosure notification.

SSRF
NVD GitHub VulDB
EPSS 0% CVSS 4.9
MEDIUM This Month

Server-Side Request Forgery in WordPress Link Library plugin versions up to 7.8.7 allows unauthenticated remote attackers to make arbitrary HTTP requests from the server, potentially accessing internal resources, cloud metadata endpoints, or conducting reconnaissance of internal network infrastructure. CVSS score of 9.1 indicates high severity, though EPSS of 0.04% (14th percentile) suggests limited observed exploitation attempts. No active exploitation confirmed (not in CISA KEV) and no public exploit identified at time of analysis.

SSRF
NVD
EPSS 0% CVSS 4.9
MEDIUM This Month

Server-Side Request Forgery (SSRF) vulnerability in bdthemes Prime Slider - Addons For Elementor bdthemes-prime-slider-lite allows Server Side Request Forgery.This issue affects Prime Slider - Addons For Elementor: from n/a through <= 4.0.10.

SSRF
NVD
EPSS 0% CVSS 5.4
MEDIUM This Month

Server-Side Request Forgery (SSRF) in 6Storage Rentals WordPress plugin versions ≤2.20.2 allows unauthenticated remote attackers to send crafted requests from the vulnerable server to arbitrary internal or external systems. With CVSS 9.1 (critical) due to network-accessible attack vector requiring no authentication or user interaction, attackers can achieve high confidentiality and integrity impact by potentially accessing internal services, cloud metadata endpoints, or exfiltrating sensitive data. EPSS score of 0.04% (14th percentile) indicates relatively low observed exploitation probability despite the critical severity rating. No confirmed active exploitation (not in CISA KEV) and no public exploit code identified at time of analysis.

SSRF
NVD
EPSS 0% CVSS 7.8
HIGH POC PATCH This Week

Server-Side Request Forgery (SSRF) in HTTParty 0.23.2 and earlier enables remote unauthenticated attackers to force the application to make arbitrary HTTP requests to internal network resources and third-party services, potentially leaking API keys and credentials embedded in outbound requests or accessing internal-only endpoints. Publicly available exploit code exists (GitHub Security Advisory GHSA-hm5p-x4rq-38w4), and the CVSS E:P modifier confirms proof-of-concept exploitation. Vendor-released patch is available via commit 0529bcd, though a tagged release version is not confirmed from provided data. EPSS data not provided, but SSRF vulnerabilities targeting API libraries typically see exploitation within weeks of public disclosure due to their prevalence in cloud-native environments.

SSRF Httparty Red Hat
NVD GitHub
EPSS 5% CVSS 8.7
HIGH This Week

Arbitrary file write in Streama (open-source self-hosted media server) versions 1.10.0 through 1.10.5 lets an authenticated user chain a path traversal flaw with a server-side request forgery in the subtitle download feature to plant files anywhere the application process can write, potentially escalating to remote code execution. The subtitle endpoint trusts both the remote fetch URL and the destination filename, so a crafted download link plus a '../' filename escapes the intended staging directory. There is no CISA KEV listing and no packaged exploit is flagged in the source data, though a detailed VulnCheck advisory and a public technical write-up (chocapikk.com) describe the mechanics.

SSRF Path Traversal RCE
NVD GitHub
EPSS 0% CVSS 5.1
MEDIUM POC This Month

PodcastGenerator 3.2.9 contains a blind server-side request forgery vulnerability that allows attackers to inject XML in the episode upload form. Rated medium severity (CVSS 5.1), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

SSRF Podcast Generator
NVD GitHub Exploit-DB
EPSS 0% CVSS 5.4
MEDIUM This Month

Server-Side Request Forgery (SSRF) vulnerability in LMPixels Kerge kerge allows Server Side Request Forgery.This issue affects Kerge: from n/a through <= 4.1.3.

SSRF
NVD
EPSS 0% CVSS 3.5
LOW Monitor

WP Fastest Cache Premium plugin versions up to 1.7.4 contain a Server-Side Request Forgery (SSRF) vulnerability in the 'get_server_time_ajax_request' AJAX action that allows authenticated Subscriber-level users to send arbitrary web requests originating from the server, potentially enabling reconnaissance and manipulation of internal services. The free version is unaffected. No public exploit code has been identified at time of analysis, with a very low EPSS score of 0.04% indicating minimal real-world exploitation likelihood despite the authenticated attack vector.

WordPress SSRF Authentication Bypass
NVD
EPSS 0% CVSS 2.1
LOW POC Monitor

Server-side request forgery in PowerJob up to version 5.1.2 allows authenticated remote attackers to manipulate the targetIp and targetPort arguments in the checkConnectivity function of the Network Request Handler component, enabling SSRF attacks with low confidentiality, integrity, and availability impact. Publicly available exploit code exists; however, the EPSS score of 0.03% indicates minimal real-world exploitation probability despite the public exploit availability, suggesting this vulnerability has seen limited active abuse.

Java SSRF Powerjob
NVD GitHub VulDB
EPSS 0% CVSS 2.1
LOW POC Monitor

Server-side request forgery in Yalantis uCrop 2.2.11 allows authenticated remote attackers to manipulate the downloadFile function in BitmapLoadTask.java URL handler, enabling arbitrary HTTP requests from the affected server. The vulnerability requires user authentication (PR:L) and carries limited confidentiality and integrity impact. Public exploit code exists, though the vendor has not responded to early disclosure attempts.

Java SSRF Ucrop
NVD VulDB
EPSS 0% CVSS 4.9
MEDIUM This Month

Server-Side Request Forgery (SSRF) vulnerability in ThemesInflow Hercules Core hercules-core allows Server Side Request Forgery.This issue affects Hercules Core : from n/a through <= 7.4.

SSRF
NVD
EPSS 0% CVSS 4.6
MEDIUM This Month

IBM InfoSphere Information Server 11.7.0.0 through 11.7.1.6 is vulnerable to server-side request forgery (SSRF). This may allow an authenticated attacker to send unauthorized requests from the system, potentially leading to network enumeration or facilitating other attacks.

IBM SSRF Infosphere Information Server
NVD
EPSS 0% CVSS 8.6
HIGH This Week

Server-Side Request Forgery (SSRF) vulnerability in Infinera MTC-9 version allows remote unauthenticated users to gain access to other network resources using HTTPS requests through the appliance used as a bridge.

SSRF Infinera Mtc 9 Firmware
NVD
EPSS 0% CVSS 2.0
LOW Monitor

A vulnerability was detected in xerrors Yuxi-Know up to 0.4.0. This vulnerability affects the function OtherEmbedding.aencode of the file /src/models/embed.py. Performing manipulation of the argument health_url results in server-side request forgery. The attack can be initiated remotely. The exploit is now public and may be used. The patch is named 0ff771dc1933d5a6b78f804115e78a7d8625c3f3. To fix this issue, it is recommended to deploy a patch. The vendor responded with a vulnerability confirmation and a list of security measures they have established already (e.g. disabled URL parsing, disabled URL upload mode, removed URL-to-markdown conversion).

SSRF
NVD GitHub VulDB
EPSS 0% CVSS 7.5
HIGH POC PATCH This Week

Server-Side Request Forgery (SSRF) vulnerability  in Apache HTTP Server on Windows with AllowEncodedSlashes On and MergeSlashes Off  allows to potentially leak NTLM hashes to a malicious server via SSRF and malicious requests or content Users are recommended to upgrade to version 2.4.66, which fixes the issue.

Microsoft Apache SSRF +7
NVD GitHub
EPSS 0% CVSS 8.5
HIGH POC PATCH This Week

Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to 0.6.37, a Server-Side Request Forgery (SSRF) vulnerability in Open WebUI allows any authenticated user to force the server to make HTTP requests to arbitrary URLs. This can be exploited to access cloud metadata endpoints (AWS/GCP/Azure), scan internal networks, access internal services behind firewalls, and exfiltrate sensitive information. No special permissions beyond basic authentication are required. This vulnerability is fixed in 0.6.37.

Microsoft SSRF Open Webui
NVD GitHub VulDB
EPSS 0% CVSS 2.0
LOW POC Monitor

A flaw has been found in dayrui XunRuiCMS up to 4.7.1. This vulnerability affects unknown code of the file admin79f2ec220c7e.php?c=api&m=test_site_domain of the component Project Domain Change Test. This manipulation of the argument v causes server-side request forgery. It is possible to initiate the attack remotely. The exploit has been published and may be used. The vendor was contacted early about this disclosure but did not respond in any way.

PHP SSRF
NVD GitHub VulDB
EPSS 0% CVSS 2.0
LOW POC Monitor

A security flaw has been discovered in dayrui XunRuiCMS up to 4.7.1. Affected is an unknown function of the file /admind45f74adbd95.php?c=email&m=add of the component Email Setting Handler. Performing a manipulation results in server-side request forgery. Remote exploitation of the attack is possible. The exploit has been released to the public and may be used for attacks. The vendor was contacted early about this disclosure but did not respond in any way.

PHP SSRF
NVD GitHub VulDB
Prev Page 12 of 32 Next

Quick Facts

Typical Severity
HIGH
Category
web
Total CVEs
2866

Related CWEs

MITRE ATT&CK

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy