Server-Side Request Forgery
Server-Side Request Forgery exploits applications that fetch remote resources based on user-supplied URLs.
How It Works
Server-Side Request Forgery exploits applications that fetch remote resources based on user-supplied URLs. When a web server accepts a URL parameter to retrieve external content—for example, to proxy images, validate webhooks, or import data—an attacker can manipulate that parameter to make the server send requests to unintended destinations. The critical issue is that these requests originate from the server itself, bypassing firewalls and network controls that would block direct external access.
Attacks come in several forms. Direct SSRF gives the attacker full control over the destination URL, allowing them to target internal services like http://localhost:8080/admin or cloud metadata endpoints at http://169.254.169.254/latest/meta-data/. Blind SSRF occurs when the application makes the request but doesn't return the response to the attacker—they must rely on timing differences or out-of-band techniques to confirm success. Partial SSRF restricts the attacker to modifying only part of the URL, such as the hostname or path, requiring more creative exploitation.
The typical attack flow starts with identifying URL parameters that trigger server-side requests. The attacker then probes for internal services by injecting internal IP addresses or localhost references. Common targets include administrative interfaces, internal REST APIs, Redis or Memcached instances, and especially cloud metadata services that expose IAM credentials. Attackers often employ bypass techniques like encoding IPs in decimal format (2130706433 for 127.0.0.1), exploiting URL parser discrepancies between validation and execution layers, or chaining with open redirects to evade basic filters.
Impact
- Access to internal services that should be network-isolated—admin panels, monitoring dashboards, configuration endpoints
- Cloud credential theft via metadata APIs, particularly AWS IAM role credentials exposed at 169.254.169.254
- Reading local files through
file://protocol support, exposing configuration files and source code - Network reconnaissance to map internal infrastructure and identify additional attack targets
- Remote code execution on back-end systems like Redis or Elasticsearch that accept commands over HTTP
- Pivoting deeper into internal networks by using the compromised server as a proxy for further attacks
Real-World Examples
Capital One suffered a massive breach in 2019 when an attacker exploited SSRF in a web application firewall to query AWS metadata services, stealing credentials that granted access to over 100 million customer records. The vulnerability allowed requests to the internal metadata endpoint that should have been unreachable.
Shopify's infrastructure exposed internal Google Cloud metadata in 2020 through an image proxy feature. Security researchers demonstrated they could retrieve service account credentials by tricking the proxy into fetching from the metadata API, potentially compromising the entire GCP environment.
Numerous CVEs in enterprise products highlight SSRF in common features: webhook validators in GitLab, PDF generators that fetch remote images, and document conversion services. These typically manifest when URL validation assumes all requests will target external internet resources, failing to anticipate internal network abuse.
Mitigation
- Allowlist approved destination domains rather than trying to blocklist dangerous ones—only permit necessary external services
- Disable unnecessary URL schemes entirely (file://, gopher://, dict://)—restrict to https:// only where possible
- Network segmentation to prevent application servers from reaching internal infrastructure—use separate VLANs or VPCs
- Deploy cloud metadata protections like AWS IMDSv2 requiring session tokens, making metadata unavailable to simple HTTP requests
- Validate and parse URLs consistently using a single library, then verify resolved IP addresses aren't private ranges
- Remove response bodies from errors to prevent information disclosure in blind SSRF scenarios
Recent CVEs (2868)
A vulnerability was found in Exrick xboot up to 3.3.4. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.
A vulnerability classified as critical was found in givanz Vvveb up to 1.0.5. Rated medium severity (CVSS 5.1), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available.
Grafana is an open-source platform for monitoring and observability. Rated medium severity (CVSS 5.0), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
Cursor is a code editor built for programming with AI. Rated medium severity (CVSS 4.4), this vulnerability is remotely exploitable. No vendor patch available.
webfinger.js is a TypeScript-based WebFinger client that runs in both browsers and Node.js environments. Rated medium severity (CVSS 6.9), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
Server-side request forgery in ssrfcheck npm package versions before 1.2.0 enables attackers to bypass IP blocklist validation and craft requests to multicast IP addresses (224.0.0.0/4). The vulnerability stems from an incomplete denylist that fails to classify reserved multicast address space as invalid, allowing network-accessible exploitation with no authentication required. Public exploit code exists (Snyk gist, CVSS E:P) with EPSS indicating moderate exploitation probability. Vendor patch available in version 1.2.0 via GitHub commit 9507b49.
Server-side request forgery in ChanCMS up to version 3.1.2 allows authenticated attackers to conduct SSRF attacks via the targetUrl parameter in the /cms/collect/getPages endpoint. The CVSS score of 2.1 reflects low confidentiality and integrity impact on the vulnerable component itself, but the publicly disclosed exploit and low EPSS score (0.10%, percentile 26%) suggest this vulnerability carries minimal real-world exploitation risk despite active public disclosure.
Salesforce Tableau Server on Windows and Linux allows authenticated attackers with low privileges to conduct Server-Side Request Forgery attacks through the Amazon S3 Connector module, enabling resource location spoofing that could result in unauthorized access to internal systems and data exfiltration. Versions before 2025.1.3, 2024.2.12, and 2023.3.19 are affected. EPSS score of 0.04% (12th percentile) indicates minimal observed exploitation activity, and no public exploit has been identified at time of analysis.
Server-Side Request Forgery in Apwide Golive 10.2.0 for Jira allows an attacker to abuse the plugin's test webhook function to induce the server to issue HTTP requests to arbitrary internal or external hosts. The vulnerability carries a scope-changed CVSS vector (S:C), meaning requests escape the plugin's trust boundary and can reach internal network resources invisible to the attacker. With an EPSS of 0.29% (20th percentile) and no active exploitation confirmed in CISA KEV, real-world risk is currently low, but the SSRF primitive could enable internal service enumeration or SSRF-chained attacks against cloud metadata endpoints on Jira-hosting infrastructure.
Server-side request forgery in ChanCMS up to version 3.1.2 allows authenticated remote attackers to manipulate the targetUrl argument in the getArticle function (app/modules/api/service/gather.js), enabling them to make arbitrary HTTP requests from the affected server. Publicly available exploit code exists, but the CVSS score of 2.1 reflects limited confidentiality, integrity, and availability impact despite network accessibility; exploitation is restricted to authenticated users with low privileges.
Server-Side Request Forgery (SSRF) in the private-ip npm package allows remote unauthenticated attackers to bypass IP filtering by providing multicast addresses (224.0.0.0/4) that the library incorrectly validates as safe, enabling access to internal network resources. This affects all versions of the package with a CVSS 4.0 score of 7.8 (High) and proof-of-concept exploit code is publicly available per the E:P metric. Organizations using private-ip for server-side request validation are at immediate risk of internal network reconnaissance and data exfiltration.
Server-Side Request Forgery in Featured Image Plus - Quick & Bulk Edit with Unsplash WordPress plugin through version 1.6.6 allows authenticated administrators to make arbitrary web requests from the vulnerable server via the fip_get_image_options() function, potentially enabling reconnaissance and modification of internal services. No public exploit code or active CISA KEV confirmation documented; however, the vulnerability requires administrator-level access and presents a CVSS 5.5 score reflecting limited confidentiality and integrity impact.
Server-Side Request Forgery in Agorum core open's TunnelServlet component exposes internal and external network resources to unauthenticated remote attackers through crafted HTTP requests. Affected versions are 11.9.2 and 11.10.1 of the agorum Software GmbH document management platform. No active exploitation is confirmed and the EPSS score sits at the 10th percentile (0.20%), indicating low observed exploitation pressure at time of analysis, though the zero-authentication requirement lowers the barrier for opportunistic scanning.
Server-side request forgery in Xuxueli xxl-job up to version 3.1.1 allows authenticated remote attackers to perform SSRF attacks via the httpJobHandler function, enabling access to internal network resources. The vulnerability has a low CVSS score (2.1) due to required authentication and limited confidentiality impact, but publicly available exploit code exists and should be remediated promptly in affected deployments.
Server-side request forgery (SSRF) in thinkgem JeeSite up to version 5.12.0 allows authenticated remote attackers to manipulate the Source argument in the UEditor Image Grabber component (ActionEnter.java), enabling arbitrary HTTP requests from the vulnerable server with low confidentiality, integrity, and availability impact. Publicly available exploit code exists, and a patch has been released by the vendor.
Server-Side Request Forgery (SSRF) in FG Drupal to WordPress plugin versions 3.90.0 and earlier allows remote attackers to make arbitrary HTTP requests from the affected WordPress server, potentially accessing internal services, cloud metadata endpoints, or other backend resources. The vulnerability has an extremely low EPSS score (0.03%, 10th percentile), indicating minimal observed exploitation probability despite public availability of vulnerability details.
In PHP versions:8.1.* before 8.1.33, 8.2.* before 8.2.29, 8.3.* before 8.3.23, 8.4.* before 8.4.10 some functions like fsockopen() lack validation that the hostname supplied does not contain null characters. This may lead to other functions like parse_url() treat the hostname in different way, thus opening way to security problems if the user code implements access checks before access using such functions.
CVE-2024-58258 is a Server-Side Request Forgery (SSRF) vulnerability in SugarCRM's API module that exploits limited code injection capabilities to allow unauthenticated remote attackers to make arbitrary requests from the affected server. SugarCRM versions before 13.0.4 and 14.x before 14.0.1 are affected, potentially enabling attackers to access internal resources, cloud metadata endpoints, or perform lateral movement. The vulnerability has a CVSS 3.1 score of 7.2 (High) with network-based attack vector and no authentication required, though it does not enable direct code execution or availability impact.
CVE-2025-53641 is a Server-Side Request Forgery (SSRF) vulnerability in Postiz versions 1.45.1 through 1.62.2 that allows unauthenticated network attackers to inject arbitrary HTTP headers into the middleware pipeline, enabling unauthorized outbound requests from the affected server. With a CVSS score of 8.2 and network-accessible attack surface (AV:N/PR:N), this vulnerability poses significant risk to confidentiality of internal services and resources accessible from the server. The vulnerability is patched in version 1.62.3, and exploitation requires no user interaction or authentication, making it a high-priority remediation target.
A Server-Side Request Forgery (SSRF) in JGM Pandoc v3.6.4 allows attackers to gain access to and compromise the whole infrastructure via injecting a crafted iframe. Note: Some users have stated that Pandoc by default can retrieve and parse untrusted HTML content which can enable SSRF vulnerabilities. Using the ‘--sandbox’ option or ‘pandoc-server’ can mitigate such vulnerabilities. Using pandoc with an external ‘--pdf-engine’ can also enable SSRF vulnerabilities, such as CVE-2022-35583 in wkhtmltopdf.
A CWE-918: Server-Side Request Forgery (SSRF) vulnerability exists that could cause unauthenticated remote code execution when the server is accessed via the network with knowledge of hidden URLs and manipulation of host request header.
A SSRF vulnerability in for WordPress is vulnerable to Server-Side Request Forgery in all (CVSS 7.2). High severity vulnerability requiring prompt remediation. Vendor patch is available.
A denial of service vulnerability in DiscordNotifications (CVSS 9.1) that allows sending requests. Critical severity with potential for significant impact on affected systems.
CVE-2024-43394 is a Server-Side Request Forgery (SSRF) vulnerability in Apache HTTP Server on Windows (versions 2.4.0-2.4.63) that allows unauthenticated remote attackers to leak NTLM credential hashes to malicious servers through unvalidated request input processed by mod_rewrite or Apache expressions. The vulnerability exploits Windows SMB/UNC path handling to trigger NTLM authentication, potentially compromising domain credentials. This is a high-severity issue affecting all default Windows installations without explicit UNC path filtering.
CVE-2024-43204 is a Server-Side Request Forgery (SSRF) vulnerability in Apache HTTP Server when mod_proxy is loaded, allowing unauthenticated attackers to initiate outbound proxy requests to attacker-controlled URLs. The vulnerability requires an uncommon configuration where mod_headers is used to modify Content-Type headers based on user-supplied HTTP request values. Apache recommends immediate upgrade to version 2.4.64 to remediate this high-integrity-impact issue.
ColdFusion versions 2025.2, 2023.14, 2021.20 and earlier are affected by a Server-Side Request Forgery (SSRF) vulnerability that could lead to arbitrary file system read. A high-privilege authenticated attacker can force the application to make arbitrary requests via injection of URLs. Exploitation of this issue does not require user interaction and scope is changed. The vulnerable component is restricted to internal IP addresses.
SSRF in Ivanti Connect Secure before version 22.7R2.8 and Ivanti Policy Secure before version 22.7R1.5 allows a remote authenticated attacker with admin rights to access internal network services.
SAP CMC Promotion Management allows an authenticated attacker to enumerate internal network systems by submitting crafted requests during job source configuration. By analysing response times for various IP addresses and ports, the attacker can infer valid network endpoints. Successful exploitation may lead to information disclosure. This vulnerability does not impact the integrity or availability of the application.
Server-side request forgery (SSRF) vulnerability exists n multiple versions of Nimesa Backup and Recovery, If this vulnerability is exploited, unintended requests may be sent to internal servers.
A vulnerability was found in BoyunCMS up to 1.4.20. It has been rated as critical. This issue affects some unknown processing of the file /application/pay/controller/Index.php of the component curl. The manipulation leads to server-side request forgery. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used.
Server-Side Request Forgery (SSRF) vulnerability in TeconceTheme Allmart allows Server Side Request Forgery. This issue affects Allmart: from n/a through 1.0.0.
Server-Side Request Forgery (SSRF) vulnerability in Md Yeasin Ul Haider URL Shortener allows Server Side Request Forgery. This issue affects URL Shortener: from n/a through 3.0.7.
The PayMaster for WooCommerce plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 0.4.31 via the 'wp_ajax_paym_status' AJAX action This makes it possible for authenticated attackers, with Subscriber-level access and above, to make web requests to arbitrary locations originating from the web application and can be used to query and modify information from internal services.
The Amazon Products to WooCommerce plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 1.2.7 via the wcta2w_get_urls(). This makes it possible for unauthenticated attackers to make web requests to arbitrary locations originating from the web application and can be used to query and modify information from internal services.
A server-side request forgery vulnerability exists in multiple firmware versions of AVTECH DVR devices that exposes the /cgi-bin/nobody/Search.cgi?action=cgi_query endpoint without authentication. An attacker can manipulate the ip, port, and queryb64str parameters to make arbitrary HTTP requests from the DVR to internal or external systems, potentially exposing sensitive data or interacting with internal services.
zrlog v3.1.5 was discovered to contain a Server-Side Request Forgery (SSRF) via the downloadUrl parameter.
Akamai CloudTest before 60 2025.06.09 (12989) allows SSRF.
Lychee is a free, open-source photo-management tool. Prior to version 6.6.13, a critical Server-Side Request Forgery (SSRF) vulnerability exists in the `/api/v2/Photo::fromUrl` endpoint. This flaw lets an attacker instruct the application’s backend to make HTTP requests to any URL they choose. Consequently, internal network resources-such as localhost services or cloud-provider metadata endpoints-become reachable. The endpoint takes a URL from the user and calls it server-side via fopen() without any safeguards. There is no IP address validation, nor are there any allow-list, timeout, or size restrictions. Because of this, attackers can point the application at internal targets. Using this flaw, an attacker can perform internal port scans or retrieve sensitive cloud metadata. Version 6.6.13 contains a patch for the issue.
A vulnerability classified as critical has been found in diyhi bbs up to 6.8. This affects the function getUrl of the file /admin/login of the component HTTP Header Handler. The manipulation of the argument Host leads to server-side request forgery. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used.
The Ninja Tables - Easy Data Table Builder plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 5.0.18 via the args[url] parameter. This makes it possible for unauthenticated attackers to make web requests to arbitrary locations originating from the web application and can be used to query and modify information from internal services.
Octo-STS is a GitHub App that acts like a Security Token Service (STS) for the GitHub API. Octo-STS versions before v0.5.3 are vulnerable to unauthenticated SSRF by abusing fields in OpenID Connect tokens. Malicious tokens were shown to trigger internal network requests which could reflect error logs with sensitive information. Upgrade to v0.5.3 to resolve this issue. This version includes patch sets to sanitize input and redact logging.
URL redirection to an untrusted site ('Open Redirect') in Kibana can lead to sending a user to an arbitrary site and server-side request forgery via a specially crafted URL.
An unauthenticated attacker may perform a blind server side request forgery (SSRF), due to a CLRF injection issue that can be leveraged to perform HTTP request smuggling. This SSRF leverages the WS-Addressing feature used during a WS-Eventing subscription SOAP operation. The attacker can control all the HTTP data sent in the SSRF connection, but the attacker can not receive any data back from this connection.
An unauthenticated attacker may perform a limited server side request forgery (SSRF), forcing the target device to open a TCP connection to an arbitrary port number on an arbitrary IP address. This SSRF leverages the WS-Addressing ReplyTo element in a Web service (HTTP TCP port 80) SOAP request. The attacker can not control the data sent in the SSRF connection, nor can the attacker receive any data back. This SSRF is suitable for TCP port scanning of an internal network when the Web service (HTTP TCP port 80) is exposed across a network segment.
Allure 2 versions prior to 2.34.1 contain a critical XML External Entity (XXE) injection vulnerability in the xunit-xml-plugin that allows unauthenticated remote attackers to read arbitrary files from the server's filesystem and potentially trigger SSRF attacks. The vulnerability stems from insecure XML parser configuration in the DocumentBuilderFactory and is exploitable by uploading or providing malicious test result XML files without any authentication or user interaction required.
ControlID iDSecure On-premises versions 4.7.48.0 and earlier contain a server-side request forgery (SSRF) vulnerability that allows unauthenticated attackers to make arbitrary requests from the vulnerable server to internal or external systems, potentially exposing sensitive information. The CVSS 7.5 score reflects the high confidentiality impact and network-accessible attack vector, though integrity and availability are not compromised. This vulnerability requires immediate patching as it requires no authentication or user interaction.
A remote code execution vulnerability in langchain-ai/langchain (CVSS 10.0). Risk factors: public PoC available. Vendor patch is available.
A vulnerability was found in Dromara MaxKey up to 4.1.7 and classified as critical. This issue affects the function Add of the file maxkey-webs\maxkey-web-mgt\src\main\java\org\dromara\maxkey\web\apps\contorller\SAML20DetailsController.java of the component Meta URL Handler. The manipulation of the argument post leads to server-side request forgery. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
gateway_proxy_handler in MLflow before 3.1.0 lacks gateway_path validation.
CVE-2025-34021 is a critical Server-Side Request Forgery (SSRF) vulnerability affecting multiple Selea Targa IP OCR-ANPR camera models that allows remote unauthenticated attackers to induce arbitrary HTTP requests through unvalidated JSON POST parameters (ipnotify_address and url). An attacker can bypass firewall policies, enumerate internal services, or redirect image fetch and DNS lookup operations to internal or external systems of their choosing. Active exploitation was confirmed by the Shadowserver Foundation on 2025-01-25, indicating real-world attack activity and operational risk.
Server-Side Request Forgery (SSRF) vulnerability in BoldGrid Post and Page Builder by BoldGrid - Visual Drag and Drop Editor allows Server Side Request Forgery. This issue affects Post and Page Builder by BoldGrid - Visual Drag and Drop Editor: from n/a through 1.27.8.
Server-Side Request Forgery (SSRF) vulnerability in Ali Irani Auto Upload Images allows Server Side Request Forgery. This issue affects Auto Upload Images: from n/a through 3.3.2.
Server-Side Request Forgery (SSRF) vulnerability in Angelo Mandato PowerPress Podcasting allows Server Side Request Forgery. This issue affects PowerPress Podcasting: from n/a through 11.12.11.
Server-Side Request Forgery (SSRF) vulnerability in Joe Hoyle WPThumb allows Server Side Request Forgery. This issue affects WPThumb: from n/a through 0.10.
PowSyBl (Power System Blocks) is a framework to build power system oriented software. Prior to version 6.7.2, in certain places, powsybl-core XML parsing is vulnerable to an XML external entity (XXE) attack and to a server-side request forgery (SSRF) attack. This allows an attacker to elevate their privileges to read files that they do not have permissions to, including sensitive files on the system. The vulnerable class is com.powsybl.commons.xml.XmlReader which is considered to be untrusted in use cases where untrusted users can submit their XML to the vulnerable methods. This can be a multi-tenant application that hosts many different users perhaps with different privilege levels. This issue has been patched in com.powsybl:powsybl-commons: 6.7.2.
urllib3 is a user-friendly HTTP client library for Python. Prior to 2.5.0, it is possible to disable redirects for all requests by instantiating a PoolManager and specifying retries in a way that disable redirects. By default, requests and botocore users are not affected. An application attempting to mitigate SSRF or open redirect vulnerabilities by disabling redirects at the PoolManager level will remain vulnerable. This issue has been patched in version 2.5.0.
Server-Side Request Forgery (SSRF) vulnerability in Trend Micro Apex Central SaaS that allows authenticated attackers to manipulate parameters and disclose sensitive information from affected installations. The vulnerability affects only the SaaS deployment model of Apex Central; SaaS customers receiving automatic monthly maintenance updates are not impacted. While no public exploit or KEV status is indicated, the CVSS 7.1 score and information disclosure capability present moderate risk for organizations with manual SaaS deployments or on-premises installations.
A Server-side Request Forgery (SSRF) vulnerability in Trend Micro Apex Central (on-premise) modOSCE component could allow an attacker to manipulate certain parameters leading to information disclosure on affected installations.
A Server-side Request Forgery (SSRF) vulnerability in Trend Micro Apex Central (on-premise) modTMSM component could allow an attacker to manipulate certain parameters leading to information disclosure on affected installations.
Server-Side Request Forgery (SSRF) vulnerability in Metagauss ProfileGrid allows Server Side Request Forgery. This issue affects ProfileGrid : from n/a through 5.9.5.2.
A vulnerability was found in Intera InHire up to 20250530. It has been declared as critical. Affected by this vulnerability is an unknown functionality. The manipulation of the argument 29chcotoo9 leads to server-side request forgery. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
A remote code execution vulnerability (CVSS 9.1). Critical severity with potential for significant impact on affected systems.
The application is vulnerable to Server-Side Request Forgery (SSRF). An endpoint can be used to send server internal requests to other ports.
Dell Wyse Management Suite, versions prior to WMS 5.2, contain a Cross-Site Request Forgery (CSRF) vulnerability. A high privileged attacker with remote access could potentially exploit this vulnerability, leading to Server-side request forgery.
A server-side request forgery vulnerability [CWE-918] in Fortinet FortiClientEMS version 7.4.0 through 7.4.2 and before 7.2.6 may allow an authenticated attacker to perform internal requests via crafted HTTP or HTTPS requests.
Keyoti SearchUnit prior to 9.0.0. is vulnerable to Server-Side Request Forgery (SSRF) in /Keyoti_SearchEngine_Web_Common/SearchService.svc/GetResults and /Keyoti_SearchEngine_Web_Common/SearchService.svc/GetLocationAndContentCategories. An attacker can specify their own SMB server as the indexDirectory value when making POST requests to the affected components. In doing so an attacker can get the SearchUnit server to read and write configuration and log files from/to the attackers server.
GeoServer is an open source server that allows users to share and edit geospatial data. The Coverage rest api /workspaces/{workspaceName}/coveragestores/{storeName}/{method}.{format} allows attackers to upload files with a specified url (with {method} equals 'url') with no restrict. This vulnerability is fixed in 2.26.0.
GeoServer contains a Server-Side Request Forgery (SSRF) vulnerability in the Demo request endpoint (TestWfsPost servlet) that allows unauthenticated network attackers to make arbitrary HTTP requests from the server when Proxy Base URL is not configured. This high-severity vulnerability (CVSS 7.5) affects GeoServer versions prior to 2.24.4 and 2.25.2, enabling attackers to access internal resources, cloud metadata endpoints, and potentially interact with backend systems.
A SSRF vulnerability in A possible arbitrary file read and SSRF vulnerability (CVSS 7.5) that allows clients. Risk factors: EPSS 17% exploitation probability.
Under certain conditions, SAP Business Objects Business Intelligence Platform allows an unauthenticated attacker to enumerate HTTP endpoints in the internal network by specially crafting HTTP requests. This disclosure of information could further enable the researcher to cause SSRF. It has no impact on integrity and availability of the application.
Server-Side Request Forgery (SSRF) vulnerability in SmartDataSoft Car Repair Services allows Server Side Request Forgery. This issue affects Car Repair Services: from n/a through 5.0.
Server-Side Request Forgery (SSRF) vulnerability in wpdive Nexa Blocks allows Server Side Request Forgery. This issue affects Nexa Blocks: from n/a through 1.1.0.
Server-Side Request Forgery (SSRF) vulnerability in ShawonPro SocialMark allows Server Side Request Forgery. This issue affects SocialMark: from n/a through 2.0.7.
Sensitive information disclosure due to SSRF. The following products are affected: Acronis Cyber Protect 16 (Windows, Linux) before build 39938.
A vulnerability classified as critical was found in quequnlong shiyi-blog up to 1.2.1. This vulnerability affects unknown code of the file /app/sys/article/optimize. The manipulation of the argument url leads to server-side request forgery. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
A server-side request forgery (SSRF) vulnerability exists in multiple WSO2 products due to improper input validation in SOAP admin services. This flaw allows unauthenticated attackers to manipulate server-side requests, enabling access to internal and external resources available through the network or filesystem. Exploitation of this vulnerability could lead to unauthorized access to sensitive data and systems, including resources within private networks, as long as they are reachable by the affected product.
Ssrf in HPE StoreOnce backup storage software. One of 6 critical CVEs.
A vulnerability was found in chshcms mccms 2.7. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.
Esri Portal for ArcGIS 11.4 and prior allows a remote, unauthenticated attacker to bypass the Portal’s SSRF protections. Rated critical severity (CVSS 9.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
maccms10 v2025.1000.4047 is vulnerable to Server-side request forgery (SSRF) in Email Settings. Rated high severity (CVSS 7.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
Strapi is an open-source content management system. Rated medium severity (CVSS 4.9), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.
All versions of the package mcp-markdownify-server are vulnerable to Server-Side Request Forgery (SSRF) via the Markdownify.get() function. Rated high severity (CVSS 8.2), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
maccms10 v2025.1000.4047 is vulnerable to Server-Side request forgery (SSRF) in Friend Link Management. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.
A vulnerability was found in thinkgem JeeSite up to 5.11.1. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.
A vulnerability classified as critical has been found in Seeyon Zhiyuan OA Web Application System up to 8.1 SP2. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
A Server-Side Request Forgery (SSRF) vulnerability in StrangeBee TheHive 5.2.0 before 5.2.16, 5.3.0 before 5.3.11, 5.4.0 before 5.4.10, and 5.5.0 before 5.5.1 allows remote authenticated attackers. Rated medium severity (CVSS 4.6), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
SSRF Server Side Request Forgery vulnerabilities exist in ASPECT if administrator credentials become compromised*; NEXUS Series: through 3.*; MATRIX Series: through 3.*. Rated high severity (CVSS 7.0), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
A cross-site scripting (XSS) vulnerability exists in Grafana caused by combining a client path traversal and open redirect. Rated high severity (CVSS 7.6), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
TYPO3 is an open source, PHP based web content management system. Rated low severity (CVSS 3.3), this vulnerability is remotely exploitable. No vendor patch available.
Server-side request forgery vulnerability exists in a-blog cms multiple versions. Rated critical severity (CVSS 9.2), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
Quick Facts
- Typical Severity
- HIGH
- Category
- web
- Total CVEs
- 2868